Skip to ContentSkip to Footer
News

Hackers are actively exploiting three Apple iOS flaws

Apple releases fixes for privilege escalation and remote code execution bugs in iOS, iPadOS and tvOS

by: Keumars Afifi-Sabet
27 Jan 2021
The iPhone 12 showing the password screen on a coffee table beside a cup and saucer

Apple has released fixes for three vulnerabilities embedded in the core operating systems of its iPhone, iPad and Apple TV products, that have been exploited in the wild.

The three zero-day vulnerabilities found in Apple’s iOS, iPadOS and tvOS have been fixed with iOS 14.4, iPadOS 14.4 and tvOS 14.4, but the firm confirmed the flaws have already been exploited by cyber criminals.

The vulnerability tracked as CVE-2021-1782 paves the way for a malicious application to elevate privileges, and is present in the kernel of all three Apple systems. It has been described as a race condition, which has now been addressed with improved locking. 

Both CVE-2021-1871 and CVE-2021-1870 concern the WebKit browser engine of iPadOS and iOS, and allows attackers to cause arbitrary code execution. These have been described as a logic issue that was addressed with improved restrictions. 

The devices affected include iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, iPod touch (7th generation), as well as Apple TV 4K and Apple TV HD. The company, however, declined to disclose how broad the attack was, or who specifically has been targeted by hackers exploiting these flaws.

The flaws were flagged to Apple by an anonymous researcher, and, unfortunately, no further details have been made available. 

Related Resource

The complete guide to changing your phone system provider

Optimise your phone system for better business results

How to change your phone system provider - whitepaper from AircallDownload now

"Apple admitting to iPhone security vulnerabilities is about as rare as someone getting struck by lightning. So kudos for them for releasing iOS 14.4 with patches for the three identified bugs,” said the chief security officer at Cybereason, Sam Curry.

“What we won't know for some time is how widespread the threat is. That information is reportedly forthcoming. I say to Apple, don’t stop there as transparency is extremely important because you are one of the largest companies in the world and tens of millions of people trust you to get trust right.”

Curry added that Apple should dig deeper into the investigation and come up with new countermeasures and controls.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Skip to HeaderSkip to Content