Apple today released software updates to patch vulnerabilities in iPhones and iPads that may have been exploited by miscreants to silently snoop on victims from afar.
Folks should check for and install the latest version of their iOS, iPadOS, watchOS, and tvOS software. Here's the quick run down of the programming blunders:
CVE-2021-1782: Fixed in iOS 14.4 and iPadOS 14.4, available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation). This kernel-level race condition can be exploited by malicious code on a device – such as a rogue or hijacked app – to gain control of the iThing. Apple said it is "aware of a report that this issue may have been actively exploited." How would one inject malicious code into a device? Look no further than...
CVE-2021-1871, CVE-2021-1870: Also fixed in iOS 14.4 and iPadOS 14.4, a logic bug in WebKit that can be exploited by a malicious webpage – opened in, say, Safari – to execute arbitrary code. Again, Apple is aware this may have been exploited in the wild.
Presumably someone chained these bugs with the above one to take control of someone's handheld after tricking them to visit a booby-trapped website. The page would inject an execute a payload in Safari, which would then use the kernel vulnerability to gain the necessary privileges to commandeer the equipment, spy on its owner, snoop on communications, and so on.
The CVE-2021-1782 flaw is also fixed in tvOS 14.4, available for Apple TV 4K and Apple TV HD models, and watchOS 7.3, available for the Apple Watch Series 3 and later. All three bugs were reported to Apple privately by an anonymous researcher.
In addition to these fixes, Apple also emitted Xcode 12.4 that fixes CVE-2021-1800, a bug that can be exploited by malicious applications running on someone's Mac to access a user's personal files. It was reported by Theodore Dubois, and is not believed to have been exploited in the wild.
The iGiant also released iCloud for Windows 12.0 to address:
- CVE-2020-29611: Found by Ivan Fratric of Google Project Zero, this vulnerability can be exploited by a specially crafted image to achieve arbitrary code execution. That means you could send a picture to someone, and if it's opened by them using this software, malware hidden in the file could be allowed to run and get up to all sorts of mischief.
- CVE-2020-29618: Found by Xingwei Lin of Ant Security Light-Year Lab, this works just like the above image-parsing hole, leading to code execution.
- CVE-2020-29617, CVE-2020-29619: Xingwei Lin again, this time with bugs that can corrupt the heap, and presumably crash the application, via a maliciously crafted image.
None of the iCloud for Windows flaws are said to have been exploited in the wild.
The iOS and iPadOS patches come a day after Google revealed North Korea's hackers had targeted information security researchers, luring them to a website that seemingly contained a Chrome zero-day exploit to infect their Windows PCs and offering them malware-infected Visual Studio project files.
A spokesperson for Apple was not immediately available to confirm whether or not today's software updates and yesterday's disclosure are linked. ®