Apple released updates for three zero-day flaws exploited in the wild.
CVE-2021-30869, CVE-2021-30860, CVE-2021-30858
The first actively exploited zero-day flaw, CVE-2021-30869, has been fixed in updates for macOS Catalina and iOS 12.
According to the official advisory, “a malicious application may be able to execute arbitrary code with kernel privileges.” The company is aware of exploits that can leverage the vulnerability in the wild. Technical details are scarce, but patching is mandatory.
The update applies to iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). To fix the flaw, a type confusion issue was addressed with improved state handling, Apple explained.
Two more vulnerabilities were also addressed – an integer overflow issue, known as CVE-2021-30860 and disclosed by The Citizen Lab. “Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the company noted.
CVE-2021-30858, a use after free vulnerability, was reported by an anonymous researcher.
Earlier this week, a zero-day vulnerability in macOS affecting Big Sur and prior versions was disclosed to the public.
The bug resides in macOS Finder system and could allow a remote attacker to trick users into running arbitrary commands. Apparently, there’s still no patch for the issue, which was discovered by independent security researcher Park Minchan and reported to the SSD Secure Disclosure program.