Apple on Tuesday released updates for iOS, iPadOS, and tvOS with fixes for three security vulnerabilities that it says may have been actively exploited in the wild.
Reported by an anonymous researcher, the three zero-day flaws — CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871 — could have allowed an attacker to elevate privileges and achieve remote code execution.
The iPhone maker did not disclose how widespread the attack was or reveal the identities of the attackers actively exploiting them.
While the privilege escalation bug in the kernel (CVE-2021-1782) was noted as a race condition that could cause a malicious application to elevate its privileges, the other two shortcomings — dubbed a "logic issue" — were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871), permitting an attacker to achieve arbitrary code execution inside Safari.
Apple said the race condition and the WebKit flaws were addressed with improved locking and restrictions, respectively.
While exact details of the exploit leveraging the flaws are unlikely to be made public until the patches have been widely applied, it wouldn't be a surprise if they were chained together to carry out watering hole attacks against potential targets.
Such an attack would involve delivering the malicious code simply by visiting ..
Support the originator by clicking the read the rest link below.
