Apple this week released multiple security updates to address two critical vulnerabilities in iOS, macOS and watchOS. The company says it has received reports that the flaws “may have been actively exploited.”
One of many zero-days found in WebKit this year, CVE-2021-30858 can enable a malicious actor to execute arbitrary code on the target device by “processing maliciously crafted web content.
CVE-2021-30860, which is nearly identical in nature, describes a flaw in CoreGraphics: “Processing a maliciously crafted PDF may lead to arbitrary code execution,” according to the advisories.
Both flaws are being actively exploited, according to reports by researchers, the company says.
On the mobile side, the vulnerabilities affect iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
On the desktop side, macOS Big Sur, macOS Catalina and macOS Mojave are all impacted.
Even the wearable branch of Apple’s products is impacted, with CVE-2021-30860 also found in watchOS.
Customers are advised to install iOS 14.8 and iPadOS 14.8 to patch their iDevices. Desktop users are told to update to macOS Big Sur 11.6 or to download Security Update 2021-005 Catalina, depending on their desktop configuration.
Safari 14.1.2 patches CVE-2021-30858 for macOS Catalina and macOS Mojave, respectively. After installing this update, users should see the build number for Safari 14.1.2 as 146184.108.40.206.7 on macOS Mojave and 156220.127.116.11.7 on macOS Catalina.
Finally, watchOS 7.6.2 patches CVE-2021-30860 on Apple Watch Series 3 and newer models.
Apple credits The Citizen Lab for finding CVE-2021-30860, only a few weeks after the Toronto-based team published details of a zero-day exploit allegedly used by an Israeli vendor of surveillance solutions.
“Our latest discovery of yet another Apple zero day employed as part of NSO Group’s arsenal further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies,” the research team wrote. “Ubiquitous chat apps have become a major target for the most sophisticated threat actors, including nation state espionage operations and the mercenary spyware companies that service them. As presently engineered, many chat apps have become an irresistible soft target.”
Apple users are urged to update their products as soon as possible.
For reference, all affected devices and the advisories for the flaws impacting each product are listed below: