September 2021: Apple Patches 3 Zero Days Under Active Attack

On September 24, 2021, Apple released security updates for three vulnerabilities in iOS and one flaw in macOS Catalina. We analyzed these weaknesses and spotlighted the most important vulnerabilities that ought to be fixed on priority.

Why do you need to patch these Apple zero days?

  • Two of the iOS flaws (CVE-2021-30860 & CVE-2021-30858) are being actively exploited, while exploits for the third iOS bug and macOS flaw (CVE-2021-30869) exist in the wild.

  • CISA has red-flagged two of these zero-days (CVE-2021-30860 & CVE-2021-30858).

  • CVE-2021-30860 and CVE-2021-30858 are accredited with a CVSS v3 score of 7.8 and 8.8 (high).

  • Based on the CWE Analysis, CVE-2021-30860 is categorized under CWE -190 (Integer Overflow or Wraparound) and CVE-2021-30858 under CWE – 416 (Use After Free) which is listed in the 2021 CWE Top 12 Most Dangerous Software Weaknesses.

  • The security patches include updates for the older iPhones against the ForcedEntry spyware attack uncovered earlier this month.

  • All the three zero days are detected by popular scanners such as Nexpose, Nessus, and Qualys.

  • Fortunately, none of these vulnerabilities have been publicly disclosed.

  • According to the Shodan search engine, there are no targeted Apple assets.

 

CISA has also issued an advisory encouraging users and administrators to review the latest Apple security advisories and apply the necessary updates. The updates are available for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

 

Check out our Analysis on Pegasus Spyware Attack here

Unsure if there are any gaps in your security that can lead to a cyber attack?

We can help shrink your attack surface. Talk to us!

 

Share This Post On