2 min read

Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS

Filip TRUȚĂ

September 14, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS

Apple this week released multiple security updates to address two critical vulnerabilities in iOS, macOS and watchOS. The company says it has received reports that the flaws “may have been actively exploited.”

One of many zero-days found in WebKit this year, CVE-2021-30858 can enable a malicious actor to execute arbitrary code on the target device by “processing maliciously crafted web content.

CVE-2021-30860, which is nearly identical in nature, describes a flaw in CoreGraphics: “Processing a maliciously crafted PDF may lead to arbitrary code execution,” according to the advisories.

Both flaws are being actively exploited, according to reports by researchers, the company says.

On the mobile side, the vulnerabilities affect iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

On the desktop side, macOS Big Sur, macOS Catalina and macOS Mojave are all impacted.

Even the wearable branch of Apple’s products is impacted, with CVE-2021-30860 also found in watchOS.

Customers are advised to install iOS 14.8 and iPadOS 14.8 to patch their iDevices. Desktop users are told to update to macOS Big Sur 11.6 or to download Security Update 2021-005 Catalina, depending on their desktop configuration.

Safari 14.1.2 patches CVE-2021-30858 for macOS Catalina and macOS Mojave, respectively. After installing this update, users should see the build number for Safari 14.1.2 as 14611.3.10.1.7 on macOS Mojave and 15611.3.10.1.7 on macOS Catalina.

Finally, watchOS 7.6.2 patches CVE-2021-30860 on Apple Watch Series 3 and newer models.

Apple credits The Citizen Lab for finding CVE-2021-30860, only a few weeks after the Toronto-based team published details of a zero-day exploit allegedly used by an Israeli vendor of surveillance solutions.

“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” the research team wrote. “Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. As presently engineered, many chat apps have become an irresistible soft target.”

Apple users are urged to update their products as soon as possible.

For reference, all affected devices and the advisories for the flaws impacting each product are listed below:

iOS 14.8 and iPadOS 14.8

macOS Big Sur 11.6

macOS Catalina

Safari 14.1.2

watchOS 7.6.2

tags


Author



Right now

Top posts

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
Cyber Tips for a Spook-Free Halloween

Cyber Tips for a Spook-Free Halloween

October 26, 2022

3 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

2.2 Million Patients Affected by Data Breach in Pediatric Software Vendor 2.2 Million Patients Affected by Data Breach in Pediatric Software Vendor
Silviu STAHIE

December 07, 2022

1 min read
Hacking cars remotely with just their VIN Hacking cars remotely with just their VIN
Graham CLULEY

December 05, 2022

2 min read
Russian courts attacked by CryWiper malware that poses as ransomware Russian courts attacked by CryWiper malware that poses as ransomware
Graham CLULEY

December 05, 2022

2 min read