Apple released security updates for multiple products, with their patches for critical zero-days vulnerabilities including Safari, Xcode, tvOS, watchOS, iOS, iPadOS, and iTunes. A total of 30 vulnerabilities are addressed, including Arbitrary Code Execution, Denial of Service, Privilege Escalation, Sandbox Escape, and Information Disclosure. Out of these 30 CVEs, 14 vulnerabilities are considered very critical which was shown on their vulnerability scans as they allow an attacker to execute arbitrary code. This is showing itself due to the vulnerability scanning.
On Thursday, Apple took action to address three critical Zero-Day vulnerabilities actively exploited in the wild. These vulnerabilities, identified as CVE-2021-30858, CVE-2021-30860, and CVE-2021-30869, have an impact on a broad range of iPhone and iPad models, including iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and the sixth-generation iPod touch.
Zero-day vulnerabilities Summary:
Zero-Day (CVE-2021-30869) Get related keyphrases(Opens in a new browser tab)
A critical zero-day vulnerability exploited in the wild was found in the XNU operating system kernel and reported by Erye Hernandez and Clément Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero. Successful exploitation of the vulnerability leads to arbitrary code execution with kernel privileges on compromised devices.
Affected Products: iPhone and iPad models, iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch.
Solution: iOS 12.5.5
Zero-Day ( CVE-2021-30860)
Another zero-day vulnerability was discovered by Citizen Lab, an interdisciplinary laboratory at the University of Toronto’s Munk School of Global Affairs. The vulnerability, exploited in the wild, affected the CoreGraphics feature of iOS. Successful vulnerability exploitation allows attackers to execute arbitrary code on a target device through maliciously crafted PDFs.
Affected Products: iPhone and iPad models, iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch.The Apple patch for critical zero day vulnerability is
Solution: iOS 12.5.5
Zero-Day (CVE-2021-30858)
Finally, there is one more critical zero-day vulnerability exploited in the wild, affecting the WebKit feature of iOS. Successful exploitation leads to arbitrary code execution.
Affected Products: iPhone and iPad models, Phone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and sixth-generation iPod touch.
Solution: iOS 12.5.5
Apple Security Updates Summary :
- Product: Safari 15
- Affected OS: macOS Big Sur and macOS Catalina
- Affected features: WebKit.
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution.
- CVE: CVE-2021-30846, CVE-2021-30848, CVE-2021-30849, CVE-2021-30851
- Product: Xcode 13
- Affected OS: macOS Big Sur 11.3 and later
- Affected features: IDE Xcode Server.
- Impact: Multiple issues in nginx.
- CVE: CVE-2016-0742,CVE-2016-0746,CVE-2016-0747,CVE-2017-7529,CVE-2018-16843,
CVE-2018-16844, CVE-2018-16845, CVE-2019-20372
- Product: tvOS 15
- Affected features: Accessory Manager, FontParser, ImageIO, Kernel, libexpat, Preferences, Sandbox, WebKit, Wi-Fi.
- Impact: Arbitrary Code Execution, Denial of Service, Privilege Escalation, Sandbox Escape vulnerability.
- CVE: CVE-2021-30837, CVE-2021-30841, CVE-2021-30842, CVE-2021-30843, CVE-2021-30835,
CVE-2021-30847, CVE-2021-30857, CVE-2013-0340, CVE-2021-30854, CVE-2021-30850,
CVE-2021-30846, CVE-2021-30849, CVE-2021-30851, CVE-2021-30810.
- Product: watchOS 8
- Affected features: Accessory Manager, AppleMobileFileIntegrity, FontParser, ImageIO, Kernel, libexpat, Preferences, Wi-Fi, WebKit.
- Impact: Arbitrary Code Execution, Denial of Service, Privilege Escalation, Sandbox Escape vulnerability.
- CVE: CVE-2021-30837, CVE-2021-30811, CVE-2021-30841, CVE-2021-30842, CVE-2021-30843,
CVE-2021-30835, CVE-2021-30851, CVE-2021-30847, CVE-2021-30857, CVE-2013-0340,
CVE-2021-30854, CVE-2021-30855, CVE-2021-30846, CVE-2021-30849, CVE-2021-30810.
- Product: iOS 15 and iPadOS 15
- Affected features: Accessory Manager, AppleMobileFileIntegrity, Apple Neural Engine, CoreML, Face ID, FontParser, ImageIO, Kernel, Model I/O, Preferences, Siri, Telephony, WebKit, WI-FI.
- Impact: Arbitrary Code Execution, Denial of Service, Privilege Escalation, Information Disclosure, Sandbox Escape vulnerability
- CVE: CVE-2021-30838, CVE-2021-30837, CVE-2021-30811, CVE-2021-30825, CVE-2021-30863,
CVE-2021-30841, CVE-2021-30842, CVE-2021-30843, CVE-2021-30847, CVE-2021-30857, CVE-2021-30835,
CVE-2013-0340, CVE-2021-30819, CVE-2021-30855, CVE-2021-30815, CVE-2021-30854, CVE-2021-30815,
CVE-2021-30826, CVE-2021-30846, CVE-2021-30848, CVE-2021-30849, CVE-2021-30851, CVE-2021-30810.
- Product: iTunes 12.12 for windows
- Affected OS: Windows 10 and later
- Affected features: ImageIO, WebKit.
- Impact: Arbitrary Code Execution
- CVE: CVE-2021-30835, CVE-2021-30847, CVE-2021-30849.
SecPod Saner detects these vulnerabilities and automatically fixes them by applying security updates. Download Saner now and keep your systems updated and secure.