CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871 could allow threat actors to perform privilege escalation and remote code execution attacks. The company says the vulnerabilities were likely exploited in the wild, without specifying the attacks’ extent.
More about the three Apple zero-days
The three vulnerabilities were reported by an anonymous researcher. Let’s see what we know about them so far.
It is noteworthy that this vulnerability affects the kernel in the following Apple devices: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation). Apple’s description says that “a race condition was addressed with improved locking.”
If exploited, this zero-day could enable a malicious application to elevate privileges on a vulnerable device, so patching is highly recommended.
CVE-2021-1870 and CVE-2021-1871
These two bugs represent a logic issue that was addressed via improved restrictions. Affected are iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
These bugs resided in the WebKit browser engine and could allow an attacker to perform arbitrary code execution inside the Safari browser.
Apple users should take the time to revise their devices’ security and see whether the patches are applied.
Last year, security researchers disclosed a security flaw in Safari for iOS and Mac, which occurred due to Safari preserving address bar of the URL when requested over an arbitrary port.”
Threat actors could arrange a malicious webpage and trick the victim into opening the link sent in a spoofed email or text message. This action would take the potential victim to malware or would steal their credentials.