Apple has released fixes for three vulnerabilities embedded in the core operating systems of its iPhone, iPad and Apple TV products, that have been exploited in the wild.
The three zero-day vulnerabilities found in Apple’s iOS, iPadOS and tvOS have been fixed with iOS 14.4, iPadOS 14.4 and tvOS 14.4, but the firm confirmed the flaws have already been exploited by cyber criminals.
The vulnerability tracked as CVE-2021-1782 paves the way for a malicious application to elevate privileges, and is present in the kernel of all three Apple systems. It has been described as a race condition, which has now been addressed with improved locking.
Both CVE-2021-1871 and CVE-2021-1870 concern the WebKit browser engine of iPadOS and iOS, and allows attackers to cause arbitrary code execution. These have been described as a logic issue that was addressed with improved restrictions.
The devices affected include iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, iPod touch (7th generation), as well as Apple TV 4K and Apple TV HD. The company, however, declined to disclose how broad the attack was, or who specifically has been targeted by hackers exploiting these flaws.
The flaws were flagged to Apple by an anonymous researcher, and, unfortunately, no further details have been made available.
RELATED RESOURCE
The complete guide to changing your phone system provider
Optimise your phone system for better business results
"Apple admitting to iPhone security vulnerabilities is about as rare as someone getting struck by lightning. So kudos for them for releasing iOS 14.4 with patches for the three identified bugs,” said the chief security officer at Cybereason, Sam Curry.
“What we won't know for some time is how widespread the threat is. That information is reportedly forthcoming. I say to Apple, don’t stop there as transparency is extremely important because you are one of the largest companies in the world and tens of millions of people trust you to get trust right.”
Curry added that Apple should dig deeper into the investigation and come up with new countermeasures and controls.
-
What is polymorphic malware?Explainer Polymorphic malware constantly changes its code to avoid detection, making it a top cybersecurity threat that demands advanced, behavior-based defenses
-
Outgoing Kaseya CEO teases "this is just the beginning" for the companyOpinion We spoke to Fred Voccola who remains a key figurehead at the firm as it enters its next chapter...
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
