Vulnerability management

Apple patches one zero-day, fixes two other bugs

People shop at the Fifth Avenue Apple Store during the launch of Apple’s new iPhone 13 and iPhone 13 Mini on Sept. 24, 2021, in New York City. The Cybersecurity and Infrastructure Security Agency issued an alert to quickly patch vulnerabilities after Apple released security updates this week. (Photo by Spencer Platt/Getty Images)

Apple on Thursday released security updates to one zero-day vulnerability exploited in the wild and two other vulnerabilities that could let hackers potentially break into older versions of iPhones, iPads, and Macs.

The zero-day exploited in the wild, CVE-2021-30869, was found in the Apple XNU operating system kernel by Erye Hernandez and Clément Lecigne of Google Threat Analysis Group, and Ian Beer of Google Project Zero.

The Cybersecurity and Infrastructure Security Agency (CISA) issued a notice yesterday advising security teams to move quickly on a patch.

While Apple does a fantastic job of rapidly releasing patches to ensure users are protected from any potential exploits, people often ignore them until they’re forced to update, said Hank Schless, senior manager, security solutions at Lookout.

“This could be risky to an organization that allows its employees access to corporate resources from their mobile devices,” Schless said. “If an employee leaves this type of vulnerability unpatched, it could provide an attacker with access to valuable information. Businesses need a way to enforce OS update policies that protect their organization and customer data from exploitable zero-day attacks.” 

One of the other bugs patched in the iOS update, CVE-2021-30860, is a zero-click exploit discovered by Citizen Lab, the one that made the news just two weeks ago when it was alleged that the exploit was used to illegally spy on a Saudi activist with the NSO Group’s Pegasus spyware. The vulnerability lets an attacker process a maliciously crafted PDF that may lead to arbitrary code execution.

John Bambenek, principal threat hunter at Netenrich, added that when a hacker wants to steal money or information, they will break into a computer. However, when they want to do “really bad things” or commit human rights violations, hackers want to access a mobile phone.

“While Citizen Lab is doing great work finding these zero-days, we are still struggling to keep up with the radically more dangerous threat landscape created by living our entire lives on our mobile devices,” Bambenek said.  

prestitial ad