Apple Patches Zero-Day Flaws Under Active Attack
Apple patched three zero-day security vulnerabilities in updates to iOS and macOS. One of the flaws can allow a hacker to execute arbitrary code with kernel privileges. Apple released two updates: which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 for macOS Catalina, which patches CVE-2021-30869.
The XNU kernel vulnerability is a type-confusion issue that Apple addressed with "improved state handling. A malicious app can execute arbitrary code with kernel privileges and is being actively exploited. The flaw also affects the WebKit browser engine. The issue affects macOS Catalina as well as older iOS devices.
Another zero-day flaw patched in the iOS update also affects WebKit on older iOS devices. The issue is a use-after-free flaw that Apple addressed with improved memory management. The flaw enables a hacker to process maliciously crafted web content that may lead to arbitrary code execution. The latest Apple security updates come after it quietly rolled out an incomplete patch for a zero-day vulnerability in its macOS Finder system — which hasn't been fixed yet. It could allow remote hackers to trick users into running arbitrary commands.
Apple spends a lot effort trying to keep up with security vulnerabilities. But even with their efforts, Apple has been in the news a number of times over these zero-day vulnerabilities. Data is at risk if users don't update their mobile devices and users should apply the fixes for actively exploited flaws as soon as they are available.