Apple has rolled out urgent patches for a number of its software products including iOS, iPadOS, macOS, watchOS, and Safari.
Safari 14.1.2 - macOS Catalina and macOS Mojave
The patch relates to CVE-2021-30858, a vulnerability that is now undergoing analysis and full details have not emerged.
According to reports, the vulnerability may be linked to Pegasus spyware, originally created by Israeli firm NSO Group.
Apple states, “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
“Description: A use after free issue was addressed with improved memory management.
Security Update 2021-005 Catalina - macOS Catalina
The CVE-2021-20860 vulnerability lies in CoreGraphics within the macOS Catalina operating system.
“Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
“Description: An integer overflow was addressed with improved input validation.
The two vulnerabilities (CVE-2021-30858 and CVE-2021-20860) also affect:
- macOS Big Sur 11.6 - macOS Big Sur
- watchOS 7.6
- Apple Watch Series 3 and later
- iOS 14.8 and iPadOS 14.8 - iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Users should ensure their devices get the security updates.
Security firm CybSafe's CEO and founder Oz Alashe comments, “When the use of Pegasus spyware on activists' iPhones was revealed in July this year, we all witnessed the disruption that unpatched security flaws have the potential to cause.
“The news about the identification of ‘zero click malware' is deeply concerning for individuals but also for businesses. Anyone connecting an unpatched Apple device to a corporate network today is effectively a vulnerability point, should the zero click malware be activated. So while users need to update their Apple software immediately to protect themselves, they also need to do it for the sake of all the businesses whose networks they may connect to.
“While it may be tempting to delay installation, the longer people delay, the more likely they are to forget to update at all, and the longer the vulnerability will exist on their device. Setting a reminder or an alarm is a useful way for people to ensure they update sooner rather than later. It's also a great idea to stay vigilant and look out for news of new updates as they appear. The more we stay alert to updates, the more we reduce our cyber risk.
ExtraHop CTO and cofounder Jesse Rothstein also comments, “We all carry highly sophisticated personal devices which have profound implications to personal privacy. There are many examples of this such as app data collection - which Apple recently moved to curb with its App Tracking Transparency framework.
“Any sufficiently sophisticated system has security vulnerabilities that can be exploited, and mobile phones are no exception.
“Pegasus is an example of how unknown vulnerabilities can be exploited to access highly sensitive personal information. The NSO group is an example of how governments can essentially outsource or purchase weaponised cyber capabilities. This is no different than arms dealing in my view––it's just not regulated that way. Companies are always going to have to patch their vulnerabilities, but regulations will help prevent some of these cyber weapons from being misused or falling into the wrong hands.