Apple emits emergency iOS security updates while warning holes may have been exploited in wild by hackers

Plus fixes for iPadOS, tvOS, watchOS, XCode, iCloud for Windows – and a day after Google disclosed Nork op


Apple today released software updates to patch vulnerabilities in iPhones and iPads that may have been exploited by miscreants to silently snoop on victims from afar.

Folks should check for and install the latest version of their iOS, iPadOS, watchOS, and tvOS software. Here's the quick run down of the programming blunders:

CVE-2021-1782: Fixed in iOS 14.4 and iPadOS 14.4, available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation). This kernel-level race condition can be exploited by malicious code on a device – such as a rogue or hijacked app – to gain control of the iThing. Apple said it is "aware of a report that this issue may have been actively exploited." How would one inject malicious code into a device? Look no further than...

CVE-2021-1871, CVE-2021-1870: Also fixed in iOS 14.4 and iPadOS 14.4, a logic bug in WebKit that can be exploited by a malicious webpage – opened in, say, Safari – to execute arbitrary code. Again, Apple is aware this may have been exploited in the wild.

Presumably someone chained these bugs with the above one to take control of someone's handheld after tricking them to visit a booby-trapped website. The page would inject an execute a payload in Safari, which would then use the kernel vulnerability to gain the necessary privileges to commandeer the equipment, spy on its owner, snoop on communications, and so on.

The CVE-2021-1782 flaw is also fixed in tvOS 14.4, available for Apple TV 4K and Apple TV HD models, and watchOS 7.3, available for the Apple Watch Series 3 and later. All three bugs were reported to Apple privately by an anonymous researcher.

In addition to these fixes, Apple also emitted Xcode 12.4 that fixes CVE-2021-1800, a bug that can be exploited by malicious applications running on someone's Mac to access a user's personal files. It was reported by Theodore Dubois, and is not believed to have been exploited in the wild.

The iGiant also released iCloud for Windows 12.0 to address:

  • CVE-2020-29611: Found by Ivan Fratric of Google Project Zero, this vulnerability can be exploited by a specially crafted image to achieve arbitrary code execution. That means you could send a picture to someone, and if it's opened by them using this software, malware hidden in the file could be allowed to run and get up to all sorts of mischief.
  • CVE-2020-29618: Found by Xingwei Lin of Ant Security Light-Year Lab, this works just like the above image-parsing hole, leading to code execution.
  • CVE-2020-29617, CVE-2020-29619: Xingwei Lin again, this time with bugs that can corrupt the heap, and presumably crash the application, via a maliciously crafted image.

None of the iCloud for Windows flaws are said to have been exploited in the wild.

The iOS and iPadOS patches come a day after Google revealed North Korea's hackers had targeted information security researchers, luring them to a website that seemingly contained a Chrome zero-day exploit to infect their Windows PCs and offering them malware-infected Visual Studio project files.

A spokesperson for Apple was not immediately available to confirm whether or not today's software updates and yesterday's disclosure are linked. ®

Similar topics


Other stories you might like

  • SpaceX Starlink sat streaks now present in nearly a fifth of all astronomical images snapped by Caltech telescope

    Annoying, maybe – but totally ruining science, no

    SpaceX’s Starlink satellites appear in about a fifth of all images snapped by the Zwicky Transient Facility (ZTF), a camera attached to the Samuel Oschin Telescope in California, which is used by astronomers to study supernovae, gamma ray bursts, asteroids, and suchlike.

    A study led by Przemek Mróz, a former postdoctoral scholar at the California Institute of Technology (Caltech) and now a researcher at the University of Warsaw in Poland, analysed the current and future effects of Starlink satellites on the ZTF. The telescope and camera are housed at the Palomar Observatory, which is operated by Caltech.

    The team of astronomers found 5,301 streaks leftover from the moving satellites in images taken by the instrument between November 2019 and September 2021, according to their paper on the subject, published in the Astrophysical Journal Letters this week.

    Continue reading
  • AI tool finds hundreds of genes related to human motor neuron disease

    Breakthrough could lead to development of drugs to target illness

    A machine-learning algorithm has helped scientists find 690 human genes associated with a higher risk of developing motor neuron disease, according to research published in Cell this week.

    Neuronal cells in the central nervous system and brain break down and die in people with motor neuron disease, like amyotrophic lateral sclerosis (ALS) more commonly known as Lou Gehrig's disease, named after the baseball player who developed it. They lose control over their bodies, and as the disease progresses patients become completely paralyzed. There is currently no verified cure for ALS.

    Motor neuron disease typically affects people in old age and its causes are unknown. Johnathan Cooper-Knock, a clinical lecturer at the University of Sheffield in England and leader of Project MinE, an ambitious effort to perform whole genome sequencing of ALS, believes that understanding how genes affect cellular function could help scientists develop new drugs to treat the disease.

    Continue reading
  • Need to prioritize security bug patches? Don't forget to scan Twitter as well as use CVSS scores

    Exploit, vulnerability discussion online can offer useful signals

    Organizations looking to minimize exposure to exploitable software should scan Twitter for mentions of security bugs as well as use the Common Vulnerability Scoring System or CVSS, Kenna Security argues.

    Better still is prioritizing the repair of vulnerabilities for which exploit code is available, if that information is known.

    CVSS is a framework for rating the severity of software vulnerabilities (identified using CVE, or Common Vulnerability Enumeration, numbers), on a scale from 1 (least severe) to 10 (most severe). It's overseen by First.org, a US-based, non-profit computer security organization.

    Continue reading

Biting the hand that feeds IT © 1998–2022