Apple Patches 3 More Zero-Days Under Active Attack
Apple has patched three zero-day security vulnerabilities in recently released updates to iOS and macOS that are being actively exploited. One of the flaws could allow an attacker to execute arbitrary code with kernel privileges and affects macOS and older versions of iPhones. The two security releases went live on Thursday, with iOS 12.5.5 addressing three zero-days that affect older models of the iPhone and iPod devices and security update 2021-006 for macOS Catalina, which patches one of the same vulnerabilities. The most critical vulnerability, the XNU kernel vulnerability, was discovered by Google researchers in the Google Threat Analysis Group and Google’s Project Zero.
The flaw also affects the WebKit browser engine, which is why the Google researchers likely initially discovered the flaw. Another zero-day flaw patched in the recent update affects WebKit on the same older iOS devices. The vulnerability is tracked as CVE-2021-30858 and is a user-after-free flaw that Apple addressed with improved memory management. The bug would allegedly allow an attacker to process maliciously crafted web content that may lead to arbitrary code execution.