Apple this week issued out-of-band updates for mobile customers to patch two zero-day vulnerabilities that let attackers execute remote code on their iDevices. The Cupertino-based tech giant says criminals “may” have already exploited the flaws.
Available for most iDevices in circulation, iOS 14.5.1 (and the complementary iPadOS 14.5.1) fixes a critical memory corruption issue in the Safari WebKit engine where “processing maliciously crafted web content may lead to arbitrary code execution,” according to the advisory. The vulnerability is tracked as CVE-2021-30665 and was reported to Apple by three security researchers, nicknamed yangkang, zerokeeper and bianliang.
“Apple is aware of a report that this issue may have been actively exploited,” the company says.
A second flaw present in the same open-source web browser engine, tracked as CVE-2021-30663 and reported by an anonymous researcher, can be similarly exploited to achieve “arbitrary code execution.”
In other words, successful exploitation of either bug may enable a bad actor to run malware on unpatched iDevices and steal data (including passwords or financial information), impersonate the user by performing account takeover, etc.
How to patch now
Anyone who owns an iPhone 6s and later, iPad Pro (any model), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, or iPod touch (7th generation) must install this software update as soon as possible.
To do so, on your device go to Settings ->General ->Software Update. Wait for the device to display the update available for your product and then tap Download and Install. Be sure to be plugged in to a power source or have at least 50% battery power before starting the process.
Not the first zero-day this year for Apple users
Apple in 2021 is off to a bad start security-wise. iOS 14.5.1 arrives exactly one week after Apple plugged a macOS zero-day that hackers were exploiting to bypass built-in safeguards and install malware without triggering core Mac security mechanisms.
Shlayer malware started exploiting the flaw to allow attackers to bypass the Gatekeeper, Notarization and File Quarantine security layers in Apple’s desktop OS. The flaw, tracked as CVE-2021-30657, was discovered by security researcher Cedric Owens. Malicious actors who exploited the flaw could run unapproved software via compromised websites or poisoned search engine results. As Dan Goodin reports for Ars Technica, security researchers found that the updated Shlayer malware used the flaw before Apple caught wind of it.
The flaw is patched in macOS 11.3, which users are urged to install. Choose System Preferences from the Apple menu, then click Software Update. If any updates are available, click the Update Now button to install them.
Secure your Apple gear
Staying up to date is considered good cybersecurity practice. But, as history has shown, security flaws creep up on us even when we consider ourselves up to speed with the latest patches. Case in point, iOS 14.5.1 was vulnerable to not one, but two, unknown flaws that could be exploited behind Apple’s back. The same goes for desktop users, as evidenced just a week prior.
Contrary to popular belief, Apple users are targeted by hackers. Bitdefender strongly encourages Apple device owners to apply a solid security foundation to their devices through:
Bitdefender Mobile Security for iOS, an app especially designed for your iGizmo to keep your sensitive data safe from prying eyes (includes Secure VPN for complete online privacy)
Bitdefender Antivirus for Mac with real-time protection against malware (including ransomware), adware blocking, VPN, online security (browsing, online shopping and banking), and Time Machine Protection for your backups in case of a ransomware attack.