In a new update from Apple for iOS, the operating system used for iPhone and iPad, the company addresses three zero-day flaws that have been exploited by attackers. The first zero-day is tracked as CVE-2021-1782, which would allow a remote attacker to escalate privileges on the system by exploiting a race condition in the Kernel component. The other two zero-days, tracked as CVE-2021-1870 and CVE-2021-1871, are described as a logic-issue that could allow remote attackers to execute their malicious code inside the device’s Safari Browser. Researchers believe the three zero-days are part of an exploit chain where users are lured to malicious sites that take advantage of the WebKit bug to run code that later escalates its privileges to run system-level code and compromise the device. The security update is available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.
Analyst Notes
All iOS users are highly recommended to download and apply this update as soon as possible. The version of iOS that fixes these vulnerabilities is 14.4. As with all tech devices, if an auto-update feature is available, it should be enabled to ensure that the device, computer, gaming console, server, and software are kept up to date with the newest security definitions. IT and security administrators should also be on the lookout for patches that are published and apply them when possible.
Source Article: https://securityaffairs.co/wordpress/113914/hacking/apple-ios-zero-day.html
Apple support page: https://support.apple.com/kb/HT201222
