Apple has rolled out an update for its iOS and iPadOS operating systems to patch three zero-day security flaws that are being actively exploited in the wild. The trio of flaws affects various versions of iPhones and iPads and the latest generation of iPod touch.
“Apple is aware of a report that this issue may have been actively exploited,” reads Apple’s security advisory describing each security hole that is being plugged with the release of iOS and iPadOS 14.4.
The list of impacted devices includes iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and the 7th generation iPod touch. The Cupertino-based tech titan also issued security updates for one of the vulnerabilities across a range of its other offerings, including Apple Watch (watchOS 7.3) and Apple TVs (tvOS 14.4).
As usual, there’s no word about the perpetrators and targets of the zero-day attacks, which exploit loopholes in the operating system’s kernel and the WebKit browser engine
The first flaw, tracked as CVE-2021-1782 and located in the OS kernel, is a race condition bug that could lead to an escalation of privilege, which could be exploited by an attacker using a malicious application. In plain English, this means that attackers could use the application to gain additional privileges in the device’s operating system, which would allow them to wreak all kinds of havoc.
Meanwhile, the other two security flaws, indexed as CVE-2021-1871 and CVE-2021-1870, reside in the WebKit component, Apple’s open-source web browser engine used by the Safari browser, Mail, and various other iOS and iPadOS apps. According to the bug’s description, it stems from “a logic issue” that could be exploited by a remote attacker and allow them to execute arbitrary code. According to Vulmon, the duo of flaws could be exploited by “by persuading a victim to visit a specially crafted Web site.”
Beyond the three zero-days, which were all unearthed by anonymous researchers, Apple also issued security fixes for flaws affecting its Xcode and iCloud for Windows products.
The Hong Kong Computer Emergency Response Team (HKCERT) issued an alert classifying the vulnerabilities as “extremely high risk” and urging users of the affected Apple devices to apply the updates immediately. If you don’t have automatic updates enabled, you can update your devices manually by going to the Settings menu, then tapping General, and going to the Software Update section.
Apple has previously quashed three other zero-days that were being actively exploited in the wild in November last year.