Apple has released iOS 14.4 and iPadOS 14.4 to address three vulnerabilities that have been actively exploited. The company has provided very little detail on the vulnerabilities reported by an anonymous research. All three have been given a Common Vulnerability and Exposure (CVE) number.
Mitre’s CVE database provides no details on CVE-2021-1870, 1871 and 1872. However, there is a little more detail on the Apple support site. The company has provided the following information on the vulnerabilities.
CVE-2021-1870 and CVE-2021-1871 are both related to the WebKit. Apple reports the impact saying: “A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” It goes on to say: “A logic issue was addressed with improved restrictions.”
CVE-2021-1782 is related to the Kernel. Its impact is: “A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.” It also says: “A race condition was addressed with improved locking.”
These are likely to be related incidents. Its Safari browser uses Apple’s WebKit. By exploiting a vulnerability there, attackers could then download malicious code. Exploiting the Kernel issue would allow that code to run on the device and access protected data such as password, usernames, and stored credit card information.
Enterprise Times: What does this mean?
The most important thing here is that Apple has responded to the alert and patched the vulnerabilities. The next step is for users to apply the patch to their devices as soon as possible. It would have been helpful to have more details on the attacks Apple has seen. It would allow enterprise security teams to identify and remediate any compromised devices. Instead, Apple has kept that data hidden for now.
After years of selling itself as more secure than Windows, with some justification, Apple is coming under increasing attack. Going public with details of vulnerabilities will help users take responsibility for patching their devices. That said, users are generally quick to patch mobile devices so Apple should see a significant uptake of this patch.