HomesecurityApple: Fixes a new zero-day bug that is being actively used!

Apple: Fixes a new zero-day bug that is being actively used!

Apple has released some security updates to fix a zero-day vulnerability that hackers are actively exploiting to attack iPhones and Macs using older versions of iOS and macOS.

Apple zero-day

The zero-day corrected today (referred to as CVE-2021-30869) was found at the core of the XNU operating system and was reported by Erye Hernandez and Clément Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero.

See also: VMware: Critical bug in default vCenter Server installs

Successful exploitation of this error leads to arbitrary execution code with kernel privileges on compromised devices.

"Apple is aware of a report that this issue may have been actively used," Apple said, describing the zero-day error.

The full list of affected devices includes:

  • iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation) with iOS 12.5.5
  • and Mac with security update 2021-006 Catalina.

Apple also backed up on security updates for two previously fixed zero-day vulnerabilities, one of which was reported by The Citizen Lab and used to develop NSO Pegasus spyware on compromised devices.

See also: Microsoft Exchange Autodiscover: Bugs leak Windows credentials

In addition to today's zero-day bug, Apple had to deal with an endless stream of zero-day bugs used in attacks targeting iOS and macOS devices:

  • two zero-days vulnerabilities earlier this month, one of which was also used to install Pegasus spyware on an iPhone,
  • the FORCEDENTRY exploit unveiled in August,
  • three zero-day iOS (CVE-2021-1870, CVE-2021-1871, CVE-2021-1872) in February, actively used,
  • a zero-day iOS (CVE-2021-1879) in March that may also have been actively used,
  • one zero-day on iOS (CVE-2021-30661) and one on macOS (CVE-2021-30657) in April, exploiting malware Shlayer,
  • three other zero-day iOS (CVE-2021-30663, CVE-2021-30665 and CVE-2021-30666) in May, bugs that allow arbitrary remote code execution (RCE) simply by visiting malicious websites,
  • a macOS zero-day (CVE-2021-30713) in May,
  • two iOS zero-day bugs (CVE-2021-30761 and CVE-2021-30762) in June that "may have been actively used" to hack older devices iPhone, iPad and iPod.

See also: iOS 15 bug: The sound does not work in Instagram Stories

Source of information:

Teo Ehc
Be the limited edition.