Apple releases updates for iOS and macOS to address exploited vulnerabilities

Apple Inc. today released updates for iOS and macOS that address several vulnerabilities currently being exploited in the wild.

The updates, iOS 12.5.5, for older models that can’t run iOS 15, and Security Update 2021-006 Catalina, both address the vulnerability known as CVE-2021-30869. The XNU vulnerability affects macOS as well as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch.

Apple describes the vulnerability as allowing a malicious application to execute arbitrary code with kernel privileges and notes that an exploit for the issue exists in the wild. Apple gave credit for the discovery of the vulnerability to Eyre Hernandez and Clément Lecigne of the Google Threat Analysis Group and Ian Beer of Google Project Zero.

The iOS update also addressed other vulnerabilities in older Apple devices, including CVE-2021-30860. The vulnerability is described as existing in CoreGraphics and allows for processing a maliciously crafted PDF that may lead to arbitrary code execution.

Apple noted that it’s aware of a report that this issue may have been actively exploited and credits The Citizen Lab for discovering it.

The report Apple refers to is the story in August of software created by Israeli cybersecurity company NSO Group Technologies Ltd. being used to exploit the vulnerability to gain access to data on iPhones. The government of Bahrain reportedly used NSO’s Pegasus software to spy on activists.

Apple had previously addressed the same exploit being used by NSO’s software in macOS, watchOS and later versions of iOS Sept. 13.

Also addressed in the update is CVE-2021-30858, a vulnerability in WebKit found on older Apple devices. It allows for the processing of maliciously crafted web content that may lead to arbitrary code execution. Apple noted that it was aware of reports that the vulnerability was being exploited.

“Apple does a great job of quickly releasing patches to ensure you’re protected from any potential exploits,” Hank Schless, senior manager, security solutions at endpoint-to-cloud security company Lookout Inc., told SiliconANGLE. “However, people often ignore them until they’re forced to update.”

That, he added, could be risky to an enterprise that allows its employees to access corporate resources from their mobile devices. “If an employee leaves this type of vulnerability unpatched, it could give an attacker backstage access to valuable data,” he said. “Enterprises need a way to enforce OS update policies that protect their company and customer data from exploitable

attacks.”

Photo: Pxhere