Apple has addressed three zero-day vulnerabilities in iOS that have been exploited in the wild with the release of security updates (iOS 14.4).
The first zero-day issue, tracked as CVE-2021-1782, is a race condition that resides in the iOS operating system kernel.
“A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory. “A race condition was addressed with improved locking.”
Apple security update is available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
The other two zero-day flaws, tracked as CVE-2021-1870 and CVE-2021-1871 respectively, reside in the WebKit browser engine.
Both issues are logic issues that could be exploited by remote attackers to execute arbitrary code inside users’ Safari browsers.
“A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads tthe advisory.
Security updates are available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
All three zero-days have been reported to the IT giant by an anonymous researcher.
Apple did not disclose technical details of the attacks in the wild, threat actors likely chained the flaws to deliver malicious code into web browsers of users visiting specially crafted websites and escalate privileged to run malicious code.
In November, Apple addressed other three zero-day vulnerabilities in its mobile OS that have been abused in attacks in the wild
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, zero-day)