Apple has patched a zero-day arbitrary code execution (ACE) vulnerability in iOS and macOS (opens in new tab) devices that was being exploited in the wild to run code with kernel privileges on compromised devices.
The vulnerability (tracked as CVE-2021-30869) reportedly affected iPhones (opens in new tab) and Macs (opens in new tab) powered by older iOS and macOS versions.
"Apple is aware of reports that an exploit for this issue exists in the wild," Apple said in its update announcement (opens in new tab).
- These are the best endpoint protection tools (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
- Check our list of the best firewall apps and services (opens in new tab)
Although Apple hasn’t shared much details about the vulnerability citing customer’s protection, it did mention that the bug exists in Apple’s open source (opens in new tab) XNU operating system kernel.
Long list of zero-days
The zero-day was reported to Apple by members of Google’s Threat Analysis Group, and Google Project Zero.
Reporting on the development, BleepingComputer shares that the vulnerability impacts iPhone 5s (opens in new tab), iPhone 6, iPhone 6 Plus (opens in new tab), iPad (opens in new tab) Air, iPad mini (opens in new tab) 2, iPad mini 3, and iPod touch (opens in new tab) (6th generation) running iOS 12.5.5, along with Macs running macOS Catalina (opens in new tab).
It’s also being reported that Apple has used the opportunity to backport security updates in the latest security update for two already-patched zero-days, one of them reported by The Citizen Lab (opens in new tab) and used to deploy NSO Pegasus spyware on hacked devices.
Apple reportedly has had to deal with several zero-days off late, many of whom have been used in attacks against iOS and macOS devices, the most notorious being the ones exploited to install Pegasus spyware on iPhones.
- Protect your devices with these best antivirus software (opens in new tab)
Via BleepingComputer (opens in new tab)