image
Apple continues to put out potential security fires by patching zero-day vulnerabilities, releasing an emergency update this week to patch three more recently discovered in iOS after a major software update in November already fixed three that were being actively exploited. The newly patched bugs are part of a security update released Tuesday for iOS 14.4 and iPadOS 14.4. One bug, tracked as CVE-2021-1782, was found in the OS kernel, while the other two–CVE-2021-1870 and CVE-2021-1871–were discovered in the WebKit browser engine. The most recent vulnerabilities apparently weren’t known when Apple released iOS 14.2 and iPadOS 14.2, a comprehensive update that patched a total of 24 vulnerabilities back in November. That update included fixes for three zero-day flaws discovered by the Google Project Zero team that were actively being exploited in the wild. Attackers also may be actively taking advantage of the latest bugs, according to Apple. The company described the kernel flaw as a “a race condition” that the update addresses “with improved locking.” If exploited, the vulnerability can allow a malicious application to elevate privileges. The WebKit vulnerabilities are both logic issues that the update addresses with improved restrictions, according to Apple. Exploiting these flaws would allow a remote attacker “to cause arbitrary code execution,” the company said. All the zero-days and thus the fixes affect iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later,…

Source