Apple warns of arbitrary code execution zero-day being actively exploited on Macs
Remember iPods? The same bug can bite them, and plenty of older iPhones and iPads too
Apple has warned iPhone and Mac users it's aware of security bugs in its software that are being actively exploited.
First off, the iGiant thanked Google for spotting CVE-2021-30869 in macOS Catalina. It's a nasty flaw, as it's in the XNU kernel at the heart of Apple's operating systems including macOS and iOS.
As Apple's advisory explains, "a malicious application may be able to execute arbitrary code with kernel privileges" by exploiting this security hole. Thus, malware running on a system can use the bug to take total control. The fruit-themed company says the flaw existed thanks to a "type confusion issue" that was sorted out "with improved state handling."
The kicker: "Apple is aware of reports that an exploit for this issue exists in the wild." The programming blunder is was exploited along with a flaw in the WebKit browser engine, as used in Safari, to hijack computers, it appears.
The fix is Security Update 2021-006 Catalina, which Macs should be urging peeps to install as you read this article – making this the rare occasion on which it might be best to put down The Register and move on to that task. Here's what one Googler had to say about it:
0day privilege escalation for macOS Catalina discovered in the wild by @eryeh https://t.co/yvCWPo45fL— Shane Huntley (@ShaneHuntley) September 23, 2021
We saw this used in conjunction with a N-day remote code execution targeting WebKit.
Thanks to Apple for getting patch out so quickly.
Next, the kernel flaw's also present in older versions of iOS, and impacts the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch.
- Apple, Google yank opposition voting strategy app from Russian software stores
- One-size-fits-all chargers? What a great idea! Of course Apple would hate it, though
- Apple's M1 MacBook screens are stunning – stunningly fragile and defective, that is, lawsuits allege
The fix is iOS 12.5.5, which Apple's advisory points out also addresses arbitrary code execution flaws in WebKit and CoreGraphics. For each of the three flaws, Apple said it is "aware of a report that this issue may have been actively exploited."
The CoreGraphics vulnerability was the one exploited by NSO's spyware, and patched for Apple's latest products earlier this month; now that fix has been brought to iOS 12.
You know the drill, people. And while you're letting Apple's machines patch themselves up, consider that the personal tech titan appears not to have fully fixed a code-execution flaw in the macOS Finder that now everyone's aware of. ®