An Apple store in London. Apple recently patched three zero-day iOS vulnerabilities exploited in the wild. (Jon Rawlinson/CC BY 2.0)

Apple on Wednesday reported that it had recently patched three new zero-day iOS vulnerabilities exploited in the wild.

The leading maker of iPhones and other popular mobile platforms that run on iOS said the vulnerabilities were reported by an anonymous researcher. This news came on the heels of the patching of three other zero-day vulnerabilities last November, which were discovered by Google’s Project Zero security team.

One of the vulnerabilities, CVE-2021-1782, hits the operating system kernel, where a malicious application may be able to elevate privileges. Apple said a race condition (when a thread runs in an unpredictable sequence) was addressed with improved locking. The other two vulnerabilities, CVE-2021-1871 and CVE-2021-1870 hit the WebKit. Apple reported that a remote attacker may be able to cause arbitrary code execution, noting that a logic issue was addresses with improved restrictions.

Ray Kelly, principal security engineer at WhiteHat Security, said while there’s not much information available yet regarding the zero-days, we do know that it takes all three to make the exploit work.  

“In this case, it was two WebKit and one kernel exploits to gain elevated access to the iOS device,” Kelly said.  “It really shows the lengths that malicious actors will go to gain access to mobile devices. As always, it’s important that users stay up to date with updates to help reduce the risk of becoming a victim of a sophisticated attack such as this.”

Hank Schless, senior manager, security solutions at Lookout, added that while Apple has a significant focus on making iOS secure, as it grows in capabilities and complexity, it’s difficult for their products not to have vulnerabilities. 

“Once OS vulnerabilities are discovered, attackers move quickly to figure out how to take advantage of the open door to a victim’s personal data,” Schless said. “They will frequently use mobile phishing as a way to exploit the vulnerability. Malicious websites can execute actions on the victim’s device that takes advantage of vulnerabilities in the OS or installed apps.” 

Schless said IT and security teams need visibility into actionable data about their mobile fleet to protect their users and the data they access from these threats. He recommends building and enforcing policies that limit or block access to corporate data until the device is fully updated. 

“Without enforcing device updates, you’re giving attackers a backstage pass to your proprietary corporate data, customer personally identifiable information, and highly valuable data,” Schless said.