Updates of iOS, iPadOs, and tvOS have been released by Apple, on Tuesday, which includes patches/fixes for three vulnerabilities, that Apple believes, which could have been exploited in the wild quite often. The three vulnerabilities have been registered, as CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871, and were capable of serving a hacker/attacker to escalate privileges and gain access to perform an RCE (Remote Code Execution) attack. However, it hasn’t been clarified, by the responsible authorities, that how extensive the attack was and who are the attackers who may have exploited or was actively exploiting the vulnerabilities.
One of the vulnerabilities, found in the kernel, mentioned as CVE-2021-1782, was described, by Apple, as a race condition, and the impact, also mentioned by Apple, was that it could support any malicious application in escalating its privileges. Apple also mentioned that they fixed this vulnerability by “Improved Locking”.
The other remaining vulnerabilities were found in the Webkit browser engine, used in safari by Apple, mentioned as CVE-2021-1870 and CVE-2021-1871, which as described, by Apple, as the logic issues and could have allowed a hacker/attacker to perform RCE (Remote Code Execution) in safari web browser. This vulnerability was fixed by “Improved Restrictions”, as per Apple.
It is quite clear that the details of how exactly the exploit was done and how many times and what details were exposed or what devices were taken control of, until and unless the patches/fixes are applied by almost every single iOS user. It is also a possibility that the vulnerabilities when combined could be a part of watering hole attacks against specific and valuable targets. In a watering hole attack, the hacker/attacker observes which website is being used quite often by a specific organization, then infects it with a malicious malware, which will further affect the targeted or more users. Such attacks can also be managed to target a specific user with a unique IP or users from a group of IPs.
The released updates are available for iPhone 6s and above versions, iPad Air 2 and above versions, iPad mini 4 and above versions, iPod touch (7th generation), and also for Apple TV HD and Apple TV 4K. Updates about the zero-days came out right after the organization fixed three vulnerabilities that were being exploited actively in the wild and also fixing a zero-day bug that allowed the targeting of Al Jazeera journalists to spy on them, the previous year.