UPDATED 20:56 EDT / SEPTEMBER 23 2021

SECURITY

Apple releases updates for iOS and macOS to address exploited vulnerabilities

Apple Inc. today released updates for iOS and macOS that address several vulnerabilities currently being exploited in the wild.

The updates, iOS 12.5.5, for older models that can’t run iOS 15, and Security Update 2021-006 Catalina, both address the vulnerability known as CVE-2021-30869. The XNU vulnerability affects macOS as well as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch.

Apple describes the vulnerability as allowing a malicious application to execute arbitrary code with kernel privileges and notes that an exploit for the issue exists in the wild. Apple gave credit for the discovery of the vulnerability to Eyre Hernandez and Clément Lecigne of the Google Threat Analysis Group and Ian Beer of Google Project Zero.

The iOS update also addressed other vulnerabilities in older Apple devices, including CVE-2021-30860. The vulnerability is described as existing in CoreGraphics and allows for processing a maliciously crafted PDF that may lead to arbitrary code execution.

Apple noted that it’s aware of a report that this issue may have been actively exploited and credits The Citizen Lab for discovering it.

The report Apple refers to is the story in August of software created by Israeli cybersecurity company NSO Group Technologies Ltd. being used to exploit the vulnerability to gain access to data on iPhones. The government of Bahrain reportedly used NSO’s Pegasus software to spy on activists.

Apple had previously addressed the same exploit being used by NSO’s software in macOS, watchOS and later versions of iOS Sept. 13.

Also addressed in the update is CVE-2021-30858, a vulnerability in WebKit found on older Apple devices. It allows for the processing of maliciously crafted web content that may lead to arbitrary code execution. Apple noted that it was aware of reports that the vulnerability was being exploited.

“Apple does a great job of quickly releasing patches to ensure you’re protected from any potential exploits,” Hank Schless, senior manager, security solutions at endpoint-to-cloud security company Lookout Inc., told SiliconANGLE. “However, people often ignore them until they’re forced to update.”

That, he added, could be risky to an enterprise that allows its employees to access corporate resources from their mobile devices. “If an employee leaves this type of vulnerability unpatched, it could give an attacker backstage access to valuable data,” he said. “Enterprises need a way to enforce OS update policies that protect their company and customer data from exploitable

attacks.”

Photo: Pxhere

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU