Apple Warns of 3 iOS Zero-Day Security Vulnerabilities Exploited in the Wild

2021-01-2705:50:00

The Hacker News

thehackernews.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Apple on Tuesday released updates for iOS, iPadOS, and tvOS with fixes for three security vulnerabilities that it says may have been actively exploited in the wild.

Reported by an anonymous researcher, the three zero-day flaws — CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871 — could have allowed an attacker to elevate privileges and achieve remote code execution.

The iPhone maker did not disclose how widespread the attack was or reveal the identities of the attackers actively exploiting them.

While the privilege escalation bug in the kernel (CVE-2021-1782) was noted as a race condition that could cause a malicious application to elevate its privileges, the other two shortcomings — dubbed a “logic issue” — were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871), permitting an attacker to achieve arbitrary code execution inside Safari.

Apple said the race condition and the WebKit flaws were addressed with improved locking and restrictions, respectively.

While exact details of the exploit leveraging the flaws are unlikely to be made public until the patches have been widely applied, it wouldn’t be a surprise if they were chained together to carry out watering hole attacks against potential targets.

Such an attack would involve delivering the malicious code simply by visiting a compromised website that then takes advantage of the aforementioned vulnerabilities to escalate its privileges and run arbitrary commands to take control of the device.

The updates are now available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation), as well as Apple TV 4K and Apple TV HD.

News of the latest zero-days comes after the company resolved three actively exploited vulnerabilities in November 2020 and a separate zero-day bug in iOS 13.5.1 that was disclosed as used in a cyberespionage campaign targeting Al Jazeera journalists last year.

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.