Apple has released security updates to fix a zero-day vulnerability exploited in the wild by attackers to hack iPhones and Macs running older versions of iOS and macOS.
Zero-day corrected today (tracked as CVE-2021-30869) [1, 2] was found in the kernel of the XNU operating system and has been reported by Erye Hernandez and Clément Lecigne of Google Threat Analysis Group, and Ian Beer of Google Project Zero.
Successful exploitation of this bug leads to execution of arbitrary code with kernel privileges on compromised devices.
“Apple is aware of a report that this issue may have been actively exploited,” Apple said in describing the zero day bug.
The full list of affected devices includes:
- iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3 and iPod touch (6th generation) running iOS 12.5.5
- and Mac with security update 2021-006 Catalina.
Apple also backported security updates for two previously fixed zero-days, one of which reported by The Citizen Lab and used to deploy NSO Pegasus spyware to hacked devices.
0 Day Privilege Escalation for macOS Catalina Discovered in the Wild by @eryeh https://t.co/yvCWPo45fL
We have seen this used in conjunction with a webkit targeting N-day remote code execution.
Thanks to Apple for releasing the patch so quickly.
– Shane Huntley (@ShaneHuntley) September 23, 2021
Long zero-day stream exploited in the wild
In addition to today’s zero-day, Apple has had to contend with what looks like an endless stream of zero-day bugs used in attacks targeting iOS and macOS devices:
- two days zero earlier this month, one of them also used to install Pegasus spyware on iPhones,
- the FORCEDENTRY exploit disclosed in August (previously tracked by Amnesty Tech as Megalodon),
- three iOS zero-days (CVE-2021-1870, CVE-2021-1871, CVE-2021-1872) in February, exploited in the wild and reported by anonymous researchers,
- an iOS zero-day (CVE-2021-1879) in March which may also have been actively exploited,
- a zero-day on iOS (CVE-2021-30661) and one on macOS (CVE-2021-30657) in April, exploited by the Shlayer malware,
- three more iOS zero-days (CVE-2021-30663, CVE-2021-30665 and CVE-2021-30666) in May, bugs allowing arbitrary remote code execution (RCE) simply by visiting malicious websites,
- a macOS zero-day (CVE-2021-30713) in May, which was abused by XCSSET malware to bypass Apple’s TCC privacy protection,
- two zero-day iOS bugs (CVE-2021-30761 and CVE-2021-30762) in June that “may have been actively exploited” to hack older iPhone, iPad and iPod devices.
Update: A previous version of the story stated that Apple fixed three zero days, one of which was used to deploy spyware. We’ve updated the story to correctly say that the company fixed a single zero day mined in the wild.