The three vulnerabilities, assigned CVEs 2021-1782, 2021-1871 and 2021-1870 all affect the Apple iPhone 6s and later, the iPad Air 2 and later, the iPad mini 4 and later, and the 7th generation iPod Touch. Users of these devices are urged to apply the patches as soon as possible.
CVE-2021-1782 is a Kernel race condition that can be taken advantage of using a malicious application in order for an attacker to gain elevated privileges on the victim device. Apple said it was aware of a report this vulnerability has been actively exploited.
The other two vulnerabilities, CVEs 2021-1871 and -1870 centre on a logic issue in WebKit – which is the browser engine in Safari – which could be used to give a remote attacker arbitrary code execution. Again, Apple said it was aware of reports that these vulnerabilities have been exploited.
If successfully chained together, all three could give an attacker full control of the victim device and conduct further malicious activity, exfiltrating personal data, intercepting private communications and so on.
Apple did not disclose any further details of the vulnerabilities, who might have exploited them, or how many devices may have been successfully compromised.
Sam Curry, chief security officer at Cybereason, commented: “Apple admitting to iPhone security vulnerabilities is about as rare as someone getting struck by lightning. So kudos for them for releasing iOS 14.4 with patches for the three identified bugs.
“What we won’t know for some time is how widespread the threat is. That information is reportedly forthcoming. I say to Apple, don’t stop there as transparency is extremely important because you are one of the largest companies in the world and tens of millions of people trust you to get trust right.
“Dig deeper into the current investigation and come up with new countermeasures and controls. There isn’t a big screen with green and red settings that flip from all good to all bad. As with most things in life, cyber doesn’t work that way.
“Also, keep in mind that history and the public will judge you quite harshly and probably unfairly. Security is a job of doing the best we can and then keep doing better. So keep going and err on the side of protecting users, data, privacy and fighting the good fight with the rest of the security community,” he said.
Concerned users can download and apply the new iOS 14.4 in the usual way, via their Settings app, then General, then Software Update. Those who have allowed automatic updates should receive it automatically.