Apple on Tuesday dropped emergency security patches for its flagship iOS and iPad OS platforms alongside a warning that hackers may already be exploiting three different security vulnerabilities.
The patches -- contained in iOS 14.4 and iPadOS 14.4 -- are currently being pushed to mobile users via the automatic updating mechanism.
Apple did not provide technical details of the vulnerabilities or the in-the-wild attacks, except to identify the flaws in the Kernel and in WebKit, the open-source web browser engine used in Safari, Mail, AppStore and a range of MacOS and iOS apps.
Here are the bare-bones details from Apple:
CVE-2021-1782 (Kernel) -- Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited. Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation). Anonymously reported.
CVE-2021-1871 and CVE-2021-1870 (WebKit) -- Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation). Reported by anonymous researchers.
Apple has promised additional details will be available soon.
Related: Zerodium Expects iOS Exploit Prices to Drop as It Announces Surplus
Related: Zero-Day Vulnerabilities in iOS Mail App Exploited in Targeted Attacks
Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Follow Ryan on Twitter @ryanaraine.
Tags:
