In addition to extending fixes of previously fixed security vulnerabilities exploited by NSO’s Group Pegasus spying program that targets iPhone users, on Thursday, Apple issued urgent security upgrades to address numerous security flaws in earlier iOS and macOS releases.
The release of the updates comes as a response to unpatched zero-day flaws in the iOS, related to a lock screen bypass and a set of vulnerabilities that may be exploited to obtain access to Apple ID user email addresses and full names, the apps installed on the device, and also some Wi-Fi information.
The most important of them is CVE-2021-30869, a type confusion issue in Apple’s kernel XNU component that may lead to a hostile program to perform high-privileged arbitrary code. The technology company headquartered in Cupertino claimed it dealt with the issue by improving state management.
The bug report, attributed to Google Threat Analysis group, stated that the vulnerability is being exploited in combination with an N-day remote code execution targeting WebKit.
The updates cover two more flaws tracked as CVE-2021-30858 and CVE-2021-30860, which were fixed earlier this month after an attack dubbed “FORCEDENTRY” (aka Megalodon) was disclosed to target Apple devices through zero-click attacks.
The FORCEDENTRY attack, which was exploiting the CVE-2021-30860 vulnerability, was relying on iMessage to deliver malicious code that introduced the Pegasus spyware on the devices with the idea to exfiltrate sensitive information from them without showing any visible signs of the data-theft activity. This vulnerability is particularly dangerous for its ability to overcome Apple’s iOS-built protection, known as BlastDoor, created to filter untrusted data sent through the messaging application.
The latter three vulnerabilities are claimed to have been reported to Apple in the period between 10th of March and 4th of May. Patches for iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, iPod Touch (sixth generation), iOS 12.5.4 and MacOS Catalina are available and users are urged to get them as soon as possible.