Apple Patches Three Actively Exploited Zero-Days, Part of iOS Emergency Update

An anonymous researcher identified bugs in the software’s kernel and WebKit browser engine that are likely part of an exploit chain.

Apple continues to put out potential security fires by patching zero-day vulnerabilities, releasing an emergency update this week to patch three more recently discovered in iOS after a major software update in November already fixed three that were being actively exploited.

The newly patched bugs are part of a security update released Tuesday for iOS 14.4 and iPadOS 14.4. One bug, tracked as CVE-2021-1782, was found in the OS kernel, while the other two–CVE-2021-1870 and CVE-2021-1871–were discovered in the WebKit browser engine.

The most recent vulnerabilities apparently weren’t known when Apple released iOS 14.2 and iPadOS 14.2, a comprehensive update that patched a total of 24 vulnerabilities back in November. That update included fixes for three zero-day flaws discovered by the Google Project Zero team that were actively being exploited in the wild.
Attackers also may be actively taking advantage of the latest bugs, according to Apple. The company described the kernel flaw as a “a race condition” that the update addresses “with improved locking.” If exploited, the vulnerability can allow a malicious application to elevate privileges.

The WebKit vulnerabilities are both logic issues that the update addresses with improved restrictions, according to Apple. Exploiting these flaws would allow a remote attacker “to cause arbitrary code execution,” the company said.

All the zero-days and thus the fixes affect iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation), according to Apple. Security experts believe the three are part of an exploit chain attackers can use to escalate privileges and compromise a device after its unsuspecting user falls victim to a malicious website leveraging the WebKit flaw.

As is custom, however, Apple did not go into detail about how the bugs are being used in attacks, as it doesn’t typically reveal this type of info until most of the affected devices are patched.

The proliferation of iPhones across the world makes news of any Apple iOS zero-day a security threat to its hundreds of millions of users, and thus a very big deal. In fact, four nation-state-backed advanced persistent threats (APTs) used a zero-day iPhone exploit in a highly publicized espionage hack against Al Jazeera journalists, producers, anchors and executives late last year.

Predictably, numerous iPhone users, tech professionals and security experts took to Twitter as news of the latest spate of iOS zero-days broke to warn iPhone users to update their devices immediately.

“iOS release notes are always comforting when you have firsts like this,” tweeted one iPhone user Daniel Sinclair sarcastically. “3 zero-days actively exploited in the wild. 2 involving WebKit.”

Sinclair also tweeted earlier in the month that his iPhone “inexplicably became bricked,” though it’s unclear if that issue was related to the recently discovered zero-days.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.