Lucene search

K
thn
The Hacker NewsTHN:0D13405795D42B516C33D8E56A44BA9D
HistoryJun 15, 2021 - 3:32 a.m.

Apple Issues Urgent Patches for 2 Zero-Day Flaws Exploited in the Wild

2021-06-1503:32:00
The Hacker News
thehackernews.com
423

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Apple on Monday shipped out-of-band security patches to address two zero-day vulnerabilities in iOS 12.5.3 that it says are being actively exploited in the wild.

The latest update, iOS 12.5.4, comes with fixes for three security bugs, including a memory corruption issue in ASN.1 decoder (CVE-2021-30737) and two flaws concerning its WebKit browser engine that could be abused to achieve remote code execution —

  • CVE-2021-30761 - A memory corruption issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was addressed with improved state management.
  • CVE-2021-30762 - A use-after-free issue that could be exploited to gain arbitrary code execution when processing maliciously crafted web content. The flaw was resolved with improved memory management.

Both CVE-2021-30761 and CVE-2021-30762 were reported to Apple anonymously, with the Cupertino-based company stating in its advisory that it’s aware of reports that the vulnerabilities “may have been actively exploited.” As is usually the case, Apple didn’t share any specifics on the nature of the attacks, the victims that may have been targeted, or the threat actors that may be abusing them.

One thing evident, however, is that the active exploitation attempts were directed against owners of older devices such as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). The move mirrors a similar fix that Apple rolled out on May 3 to remediate a buffer overflow vulnerability (CVE-2021-30666) in WebKit targeting the same set of devices.

Along with the two aforementioned flaws, Apple has patched a total of 12 zero-days affecting iOS, iPadOS, macOS, tvOS, and watchOS since the start of the year —

  • CVE-2021-1782 (Kernel) - A malicious application may be able to elevate privileges
  • CVE-2021-1870 (WebKit) - A remote attacker may be able to cause arbitrary code execution
  • CVE-2021-1871 (WebKit) - A remote attacker may be able to cause arbitrary code execution
  • CVE-2021-1879 (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting
  • CVE-2021-30657 (System Preferences) - A malicious application may bypass Gatekeeper checks
  • CVE-2021-30661 (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30663 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30665 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30666 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30713 (TCC framework) - A malicious application may be able to bypass Privacy preferences

Users of Apple devices are recommended to update to the latest versions to mitigate the risk associated with the vulnerabilities.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Be first who know about 0-days in popular software

Do not waste time on finding information in tons of articles. Subscribe yourself and your colleagues on news and articles about products you need and you use!

Subscribe on news

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Related for THN:0D13405795D42B516C33D8E56A44BA9D