Posted on January 27, 2021 at 3:43 PM
Apple has released another vulnerability update, as the tech giant warns that hackers may have exploited three new vulnerabilities it discovered. Although Apple has released patches to the bugs, the company has warned users to update their iOS devices as soon as possible to avoid being exploited.
When contacted by the press, Apple was not readily available to answer questions but released a statement on its blog to confirm the vulnerability and advised iOS users on what to do.
The company also said due to its policies, it doesn’t disclose the vulnerability to the public until “an investigation has occurred,”
Users should protect the security of their iPhones and iPads by applying the updates to the iOS 14.4 version, which has already been rolled out by the company.
Users looking to apply the update can find the new software updates available on their phones, at the settings app, under the “General” section.
Two bugs discovered in Webkit
According to Apple’s blog post, two of the bugs were seen in Webkit, an open-source browser engine utilized by the Safari web browser. The two vulnerabilities could give the remote hackers the access to carry out an arbitrary code execution, according to Apple.
The other vulnerability was discovered in Kernel, which forms part of Apple’s operating software network. The vulnerabilities affect users of iPad Air 2 or later, and iPhone 6s models and later.
Apple was alerted about the vulnerabilities by anonymous researchers.
The iOS 14 software was rolled out by Apple in September last year, with some new features like options to select a different web browser and home screen widgets.
Before the upgrade, the Safari web browser was the default browser for the phones, but the additional options gave users the choice to use another web browser when browsing the net.
Apple made some other changes, including the way users see their incoming calls. Before the change, incoming calls use to cover the entire screen on the phone, blocking the user’s activities until the phone stops ringing. However, the calls now appear as a banner, which makes it more convenient for users.
Patches for vulnerabilities released
Apple said it has already released an update for the zero-day vulnerabilities that were exploited in the open.
The iOS kernel bug is known as a race condition vulnerability that enables a threat actor to plant their attack code on the system.
The two-zero-days were called the “Logic issue”, which can enable remote attackers to execute their malicious codes inside the Safari browsers of the users.
According to security researchers, the three vulnerabilities are part of an exploitation chain that lures users to a malicious address that takes advantage of the WebKit vulnerability. The threat actors can run the initial code, which can later increase to more privileges that execute the system-level code and infiltrate the iOS app.
It has not been long when Apple issued updates to three other vulnerabilities. In September last year, the tech giant patched three sets of zero-days after they were discovered by Google’s security teams.
A month later, there was news of another set of zero-days by Citizen Lab. The security firm reported that some threat actors were exploiting sets of zero-days that allow them to gain access to some servers.
Google had already provided patches for the vulnerabilities even before it went public. Apple promptly released the iOS version with advanced security features.
In recent times, cybercriminals have intensified efforts to search and find unknown zero-day vulnerabilities, which will enable them to have access to systems and servers. The Apple security team has been working seriously to make sure people’s iOS devices are safe.
Apple has asked users to always look for new updates to their devices to avoid being a victim of any vulnerability-related issue.