Security News > 2021 > September > Apple Patches 3 More Zero-Days Under Active Attack
Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges.
Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS. The XNU kernel vulnerability - the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero - is a type-confusion issue that Apple addressed with "Improved state handling," according to its advisory.
The issue tracked as CVE-2021-30858 is described by Apple as a use-after-free issue that the company addressed with improved memory management.
Citizen Lab detected the flaw - tracked by Apple as CVE-2021-30860, a flaw in CoreGraphics - targeting iMessaging in August.
The latest Apple security updates come on the heels of news earlier this week that it quietly slid out an incomplete patch for a zero-day vulnerability in its macOS Finder system - which hasn't fixed the problem yet.
"Even though Apple has been in the news a number of times over these zero-day vulnerabilities, software developers everywhere run into vulnerabilities in their code," he observed in an email to Threatpost.
News URL
https://threatpost.com/apple-patches-zero-days-attack/174988/
Related news
- Apple fixes two new iOS zero-days exploited in attacks on iPhones (source)
- Urgent: Apple Issues Critical Updates for Actively Exploited Zero-Day Flaws (source)
- Apple fixes two actively exploited iOS zero-days (CVE-2024-23225, CVE-2024-23296) (source)
- Apple's trademark tight lips extend to new iPhone, iPad zero-days (source)
- DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack (source)
- New GoFetch attack on Apple Silicon CPUs can steal crypto keys (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Apple Updates Spyware Alert System to Warn Victims of Mercenary Attacks (source)
- Apple: Mercenary spyware attacks target iPhone users in 92 countries (source)
- Apple stops warning of 'state-sponsored' attacks, now alerts about 'mercenary spyware' (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-24 | CVE-2021-30860 | Integer Overflow or Wraparound vulnerability in multiple products An integer overflow was addressed with improved input validation. | 7.8 |
| 2021-08-24 | CVE-2021-30858 | Use After Free vulnerability in multiple products A use after free issue was addressed with improved memory management. | 8.8 |
| 2021-08-24 | CVE-2021-30869 | Type Confusion vulnerability in Apple products A type confusion issue was addressed with improved state handling. | 7.8 |