2 min read

Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS

Filip TRUȚĂ

September 14, 2021

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Apple Rolls Out Urgent Patch for Zero-Day Flaws in iOS, macOS and watchOS

Apple this week released multiple security updates to address two critical vulnerabilities in iOS, macOS and watchOS. The company says it has received reports that the flaws “may have been actively exploited.”

One of many zero-days found in WebKit this year, CVE-2021-30858 can enable a malicious actor to execute arbitrary code on the target device by “processing maliciously crafted web content.

CVE-2021-30860, which is nearly identical in nature, describes a flaw in CoreGraphics: “Processing a maliciously crafted PDF may lead to arbitrary code execution,” according to the advisories.

Both flaws are being actively exploited, according to reports by researchers, the company says.

On the mobile side, the vulnerabilities affect iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

On the desktop side, macOS Big Sur, macOS Catalina and macOS Mojave are all impacted.

Even the wearable branch of Apple’s products is impacted, with CVE-2021-30860 also found in watchOS.

Customers are advised to install iOS 14.8 and iPadOS 14.8 to patch their iDevices. Desktop users are told to update to macOS Big Sur 11.6 or to download Security Update 2021-005 Catalina, depending on their desktop configuration.

Safari 14.1.2 patches CVE-2021-30858 for macOS Catalina and macOS Mojave, respectively. After installing this update, users should see the build number for Safari 14.1.2 as 14611.3.10.1.7 on macOS Mojave and 15611.3.10.1.7 on macOS Catalina.

Finally, watchOS 7.6.2 patches CVE-2021-30860 on Apple Watch Series 3 and newer models.

Apple credits The Citizen Lab for finding CVE-2021-30860, only a few weeks after the Toronto-based team published details of a zero-day exploit allegedly used by an Israeli vendor of surveillance solutions.

“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” the research team wrote. “Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. As presently engineered, many chat apps have become an irresistible soft target.”

Apple users are urged to update their products as soon as possible.

For reference, all affected devices and the advisories for the flaws impacting each product are listed below:

iOS 14.8 and iPadOS 14.8

macOS Big Sur 11.6

macOS Catalina

Safari 14.1.2

watchOS 7.6.2

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
Silviu STAHIE

October 22, 2021

2 min read
The Emergence of FiveSys, a Malicious Signed Rootkit The Emergence of FiveSys, a Malicious Signed Rootkit
Silviu STAHIE

October 21, 2021

1 min read
Top Reasons why People Are Not Using a Security Tool on Their Phone Top Reasons why People Are Not Using a Security Tool on Their Phone
Filip TRUȚĂ

October 21, 2021

2 min read