2 min read

Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS

Filip TRUȚĂ

September 14, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS

Apple this week released multiple security updates to address two critical vulnerabilities in iOS, macOS and watchOS. The company says it has received reports that the flaws “may have been actively exploited.”

One of many zero-days found in WebKit this year, CVE-2021-30858 can enable a malicious actor to execute arbitrary code on the target device by “processing maliciously crafted web content.

CVE-2021-30860, which is nearly identical in nature, describes a flaw in CoreGraphics: “Processing a maliciously crafted PDF may lead to arbitrary code execution,” according to the advisories.

Both flaws are being actively exploited, according to reports by researchers, the company says.

On the mobile side, the vulnerabilities affect iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

On the desktop side, macOS Big Sur, macOS Catalina and macOS Mojave are all impacted.

Even the wearable branch of Apple’s products is impacted, with CVE-2021-30860 also found in watchOS.

Customers are advised to install iOS 14.8 and iPadOS 14.8 to patch their iDevices. Desktop users are told to update to macOS Big Sur 11.6 or to download Security Update 2021-005 Catalina, depending on their desktop configuration.

Safari 14.1.2 patches CVE-2021-30858 for macOS Catalina and macOS Mojave, respectively. After installing this update, users should see the build number for Safari 14.1.2 as 14611.3.10.1.7 on macOS Mojave and 15611.3.10.1.7 on macOS Catalina.

Finally, watchOS 7.6.2 patches CVE-2021-30860 on Apple Watch Series 3 and newer models.

Apple credits The Citizen Lab for finding CVE-2021-30860, only a few weeks after the Toronto-based team published details of a zero-day exploit allegedly used by an Israeli vendor of surveillance solutions.

“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” the research team wrote. “Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. As presently engineered, many chat apps have become an irresistible soft target.”

Apple users are urged to update their products as soon as possible.

For reference, all affected devices and the advisories for the flaws impacting each product are listed below:

iOS 14.8 and iPadOS 14.8

macOS Big Sur 11.6

macOS Catalina

Safari 14.1.2

watchOS 7.6.2

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials Iranian Threat Actor Deployed Malicious PowerShell Script through Phishing, Then Stole Files and Credentials
Silviu STAHIE

November 26, 2021

1 min read
Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group Ukraine Arrests Five iPhone Hackers of the Phoenix International Hacking Group
Filip TRUȚĂ

November 26, 2021

1 min read
Couple arrested for secretly installing cryptomining software on department store PCs Couple arrested for secretly installing cryptomining software on department store PCs
Graham CLULEY

November 26, 2021

1 min read