Apple has release a new batch of security updates and has fixed three iOS zero-days that “may have been actively exploited” by attackers.
The three zero-days
Two of the zero-day vulnerabilities (CVE-2021-1870 and CVE-2021-1871) are logic issues affecting the WebKit browser engine, which may allow a remote attacker to achieve code execution on devices running a vulnerable version of iOS or iPadOS (i.e., those prior to version 14.4).
The third zero-day (CVE-2021-1782) affects the operating systems’ kernel. It is a race condition that can be exploited by a malicious application to elevate privileges on a vulnerable iPhone or iPad. CVE-2021-1782 also affects watchOS and tvOS, and has been fixed in the released updates (watchOS 7.3 and tvOS 14.4).
An anonymous researcher has been credited with the reporting of all three flaws.
As per usual, Apple has decided not to share specific details about the flaws or the attack(s) they might be used for.
Presumably, the attackers are using one or both of the WebKit flaws to execute an initial malicious payload on targeted devices, then the kernel vulnerability to achieve the necessary privileges to completely compromise the device and spy on targets’ activities.
It’s unknown whether the attacks are targeted or widespread. Apple has noted that additional details will be available soon. In the meantime, users are advised to update their devices to plug the exploited iOS zero-days.
In the last six months, similar iOS zero-days have been leveraged in targeted attacks flagged by the Google Threat Analysis Group (TAG) and Citizen Lab. The latter found them being used to install NSO Group’s Pegasus spyware.
Apple has also released a security update for iCloud for Windows that fixes four vulnerabilities that may lead to arbitrary code execution or heap corruption, and Xcode, its integrated development environment for macOS, which fixes a path handling issue that could allow a malicious application to access arbitrary files on the host device while running an app that uses on-demand resources with Xcode.