Apple on Monday released updates to iOS, macOS, tvOS, and watchOS with security patches for a number of vulnerabilities, such as a remote jailbreak exploit chain as nicely as a number of critical issues in the Kernel and Safari web browser that were 1st shown at the Tianfu Cup held in China two months ago.
Tracked as CVE-2021-30955, the issue could have enabled a malicious software to execute arbitrary code with kernel privileges. Apple explained it addressed the issue with “enhanced point out managing.” The flaw also impacts macOS devices.
“The kernel bug CVE-2021-30955 is the one particular we tried using [to] use to construct our distant jailbreak chain but failed to entire on time,” Kunlun Lab’s main government, @mj0011sec, stated in a tweet. A set of kernel vulnerabilities were at some point harnessed by the Pangu Team at the Tianfu hacking contest to break into an iPhone13 Pro operating iOS 15, a feat that netted the white hat hackers $330,000 in income rewards.
Aside from CVE-2021-30955, a complete of 5 Kernel and 4 IOMobileFrameBuffer (a kernel extension for managing the monitor framebuffer) flaws have been remediated with the most current updates —
- CVE-2021-30927 and CVE-2021-30980: A use soon after free issue that could enable a rogue software to operate arbitrary code with kernel privileges.
- CVE-2021-30937: A memory corruption vulnerability that could permit a rogue application to operate arbitrary code with kernel privileges.
- CVE-2021-30949: A memory corruption issue that could allow a rogue application to operate arbitrary code with kernel privileges.
- CVE-2021-30993: A buffer overflow issue that could let an attacker in a privileged network situation may possibly be able to execute arbitrary code
- CVE-2021-30983: A buffer overflow issue that could let an application to run arbitrary code with kernel privileges.
- CVE-2021-30985: An out-of-bounds compose issue that could enable a rogue software to run arbitrary code with kernel privileges.
- CVE-2021-30991: An out-of-bounds study issue that could enable a destructive application to operate arbitrary code with kernel privileges.
- CVE-2021-30996: A race affliction that could allow for a rogue application to run arbitrary code with kernel privileges.
On the macOS entrance, the Cupertino-based mostly enterprise patched an issue with the Wi-Fi module (CVE-2021-30938) that a regional person on the program could exploit to induce unpredicted procedure termination and even study kernel memory. The tech giant credited Xinru Chi of Pangu Lab with reporting the flaw.
Also fastened are 7 security flaws in the WebKit component — CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, and CVE-2021-30984t — that could probably final result in a circumstance where by processing specifically crafted web material might guide to arbitrary code execution.
In addition, Apple also resolved a pair of issues influencing Notes, and Password Supervisor in iOS that could allow a particular person with physical access to an iOS machine to obtain contacts from the lock screen and retrieve saved passwords with out any authentication. Previous but not the very least, a bug in FaceTime has been squashed, which in any other case could have leaked sensitive consumer facts as a result of Live Shots metadata.
Discovered this short article attention-grabbing? Observe THN on Facebook, Twitter and LinkedIn to study far more distinctive information we put up.
Some parts of this article are sourced from:
thehackernews.com