Apple has released some security updates to fix a zero-day vulnerability that hackers are actively exploiting to attack iPhones and Macs using older versions of iOS and macOS.
The zero-day corrected today (referred to as CVE-2021-30869) was found at the core of the XNU operating system and was reported by Erye Hernandez and Clément Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero.
Successful exploitation of this error leads to arbitrary execution code with kernel privileges on compromised devices.
"Apple is aware of a report that this issue may have been actively used," Apple said, describing the zero-day error.
The full list of affected devices includes:
- iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation) with iOS 12.5.5
- and Mac with security update 2021-006 Catalina.
Apple also backed up on security updates for two previously fixed zero-day vulnerabilities, one of which was reported by The Citizen Lab and used to develop NSO Pegasus spyware on compromised devices.
In addition to today's zero-day bug, Apple had to deal with an endless stream of zero-day bugs used in attacks targeting iOS and macOS devices:
- two zero-days vulnerabilities earlier this month, one of which was also used to install Pegasus spyware on an iPhone,
- the FORCEDENTRY exploit unveiled in August,
- three zero-day iOS (CVE-2021-1870, CVE-2021-1871, CVE-2021-1872) in February, actively used,
- a zero-day iOS (CVE-2021-1879) in March that may also have been actively used,
- one zero-day on iOS (CVE-2021-30661) and one on macOS (CVE-2021-30657) in April, exploiting malware Shlayer,
- three other zero-day iOS (CVE-2021-30663, CVE-2021-30665 and CVE-2021-30666) in May, bugs that allow arbitrary remote code execution (RCE) simply by visiting malicious websites,
- a macOS zero-day (CVE-2021-30713) in May,
- two iOS zero-day bugs (CVE-2021-30761 and CVE-2021-30762) in June that "may have been actively used" to hack older devices iPhone, iPad and iPod.
Source of information: bleepingcomputer.com