Critical Security Updates for Apple iOS and macOS Released to Address Actively Exploited Vulnerabilities

September 24, 2021

On Thursday, Apple launched important security updates to tackle multiple vulnerabilities in older iOS and macOS versions, which have been exploited in real-world attacks. This release also expands on previous patches for a security flaw targeted by NSO Group’s Pegasus spyware aimed at iPhone users.

Notably, CVE-2021-30869, a type confusion vulnerability within Apple’s XNU kernel, could allow malicious apps to execute arbitrary code with elevated privileges. Apple has improved state handling to mitigate this issue. Google’s Threat Analysis Group, which reported the vulnerability, noted it was being exploited alongside a remote code execution vulnerability affecting WebKit.

Additionally, Apple addressed two more vulnerabilities, CVE-2021-30858 and CVE-2021-30860, which were patched earlier this month.

Apple Issues Critical Updates to Address Zero-Day Vulnerabilities in iOS and macOS

September 24, 2021

Apple has issued important security updates for older versions of iOS and macOS in response to vulnerabilities that are currently being actively exploited. The company identified these issues during its ongoing security monitoring and reported that exploits have been observed in the wild. Furthermore, the latest updates extend the existing patches for a previously identified security flaw that was manipulated by the NSO Group’s Pegasus spyware to target iPhone users.

Among the critical vulnerabilities addressed is CVE-2021-30869, a type confusion issue located within Apple’s XNU kernel component. This flaw enables a malicious application to execute arbitrary code with elevated privileges, which poses a significant risk to device security. To remediate the issue, Apple has implemented improved state handling measures. This specific vulnerability was highlighted by Google’s Threat Analysis Group, which reported its usage in conjunction with an existing N-day remote code execution vulnerability targeting WebKit, Apple’s web browser engine.

In addition to CVE-2021-30869, Apple also resolved two other critical vulnerabilities, identified as CVE-2021-30858 and CVE-2021-30860. The resolution of these flaws, addressed earlier in the month, emphasizes the urgent need for organizations using Apple products to update their systems to safeguard against potential attacks.

The nature of these vulnerabilities and the targeted exploits raises significant concerns for businesses and their data security. Given that these vulnerabilities could be exploited to gain initial access to devices, they highlight the importance of timely software updates as a fundamental line of defense. The tactics used by adversaries in such attacks often align with techniques outlined in the MITRE ATT&CK framework, including privilege escalation and remote code execution, which can enable cybercriminals to pivot and further compromise organizational assets.

Companies utilizing Apple products must be particularly vigilant and proactive in applying the latest updates to mitigate the risks associated with these vulnerabilities. Failure to do so not only exposes individual devices but also potentially compromises the broader organizational network.

In conclusion, Apple’s latest update serves as a crucial reminder of the evolving landscape of cybersecurity threats. Business owners are advised to prioritize the implementation of recommended security patches and to remain informed about new vulnerabilities as they arise to protect their digital environments effectively.

Source link

Related Posts

Cisco Issues Patches for Three Critical Vulnerabilities in IOS XE Software

On September 24, 2021, Cisco Systems announced the release of patches to address three critical security vulnerabilities in its IOS XE network operating system. These flaws could allow remote attackers to execute arbitrary code with administrative privileges and potentially trigger a denial-of-service (DoS) condition on affected devices. The identified vulnerabilities are as follows:

  • CVE-2021-34770 (CVSS score: 10.0) – Cisco IOS XE Software for Catalyst 9000 Family Wireless Controllers CAPWAP Remote Code Execution Vulnerability
  • CVE-2021-34727 (CVSS score: 9.8) – Cisco IOS XE SD-WAN Software Buffer Overflow Vulnerability
  • CVE-2021-1619 (CVSS score: 9.8) – Cisco IOS XE Software NETCONF and RESTCONF Authentication Bypass Vulnerability

The most critical issue, CVE-2021-34770, is described by Cisco as a “logic error” occurring during the processing of CAPWAP (Control and Provisioning of Wireless Access Points) packets, which allows a central wireless controller to manage access points.

SonicWall Releases Critical Patches for Vulnerability in SMA 100 Series Devices

On September 25, 2021, SonicWall, a network security firm, addressed a serious security vulnerability identified in its Secure Mobile Access (SMA) 100 series appliances. This flaw allows remote, unauthorized attackers to gain administrative access to the affected devices. Designated as CVE-2021-20034, the issue involves arbitrary file deletion and has a critical CVSS score of 9.1 out of 10. Exploiting this vulnerability could enable an adversary to bypass path traversal checks, leading to deletion of files and a reset of the device to factory settings. SonicWall indicated that the vulnerability stems from inadequate file path restrictions, potentially allowing arbitrary file deletions. Fortunately, the company noted that there are currently no signs of exploitation in the wild. SonicWall also acknowledged Wenxu Yin of Alpha Lab, Qihoo 360, for reporting this security concern, which affects the SMA 100 Series, including models like SMA 200 and SMA 210.

Critical Chrome Update Released to Fix Actively Exploited Zero-Day Flaw

On September 25, 2021, Google issued an urgent security patch for its Chrome web browser to address a vulnerability that is currently being exploited. Identified as CVE-2021-37973, the issue is categorized as a “use after free” flaw within the Portals API, a system that facilitates seamless navigation between web pages. Clément Lecigne from Google’s Threat Analysis Group reported the vulnerability. While detailed information about the flaw has not been shared to protect users, Google confirmed that an exploit for CVE-2021-37973 is known to be in use. This update comes shortly after Apple patched a related exploit affecting older versions of iOS and macOS (CVE-2021-30869).

Urgent: Update Google Chrome Now to Fix 2 New Actively Exploited Zero-Day Vulnerabilities

On October 1, 2021, Google released critical security updates for its Chrome browser, addressing two newly discovered vulnerabilities currently being exploited. These mark the fourth and fifth zero-day flaws resolved this month. The vulnerabilities, identified as CVE-2021-37975 and CVE-2021-37976, relate to a use-after-free issue in the V8 JavaScript and WebAssembly engine, as well as an information leak in the core. As is standard practice, Google has withheld specific details about the attacks to ensure that users can quickly install the necessary updates. However, the company confirmed that “exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.” CVE-2021-37975 was reported by an anonymous researcher, while CVE-2021-37976 was identified by Clément Lecigne from Google’s Threat Analysis Group.