Heimdal
article featured image

Contents:

Earlier this week, Apple announced security patches for various weaknesses in iOS, macOS, tvOS, and watchOS, including a remote jailbreak exploit chain and several critical flaws in the Kernel and Safari web browser. These vulnerabilities were initially revealed in October at the International Cyber Security Contest Tianfu Cup in China.

The vulnerability, identified as CVE-2021-30955, could have allowed a malicious program to run arbitrary code with kernel privileges. According to Apple, the problem has been addressed by implementing “improved state handling.” macOS devices are also affected by this issue.

Kunlun Lab’s chief executive, @mj0011sec tweeted:

What Other Vulnerabilities Were Fixed?

According to The Hacker News, in addition to the kernel bug CVE-2021-30955, five Kernel and four IOMobileFrameBuffer (a kernel extension for controlling the screen framebuffer) issues were fixed with the latest patches:

  • CVE-2021-30927 and CVE-2021-30980: A use after free issue that could allow a rogue application to run arbitrary code with kernel privileges.
  • CVE-2021-30937: A memory corruption vulnerability that could allow a rogue application to run arbitrary code with kernel privileges.
  • CVE-2021-30949: A memory corruption issue that could allow a rogue application to run arbitrary code with kernel privileges.
  • CVE-2021-30993: A buffer overflow issue that could allow an attacker in a privileged network position may be able to execute arbitrary code.
  • CVE-2021-30983: A buffer overflow issue that could allow an application to run arbitrary code with kernel privileges.
  • CVE-2021-30985: An out-of-bounds write issue that could allow a rogue application to run arbitrary code with kernel privileges.
  • CVE-2021-30991: An out-of-bounds read issue that could allow a malicious application to run arbitrary code with kernel privileges.
  • CVE-2021-30996: A race condition that could allow a rogue application to run arbitrary code with kernel privileges.

On the macOS front, the tech giant patched a vulnerability in the Wi-Fi module (CVE-2021-30938) that might allow a local user on the system to cause unexpected system shutdown and potentially access kernel information.

According to Google, the issue was reported by Xinru Chi of Pangu Lab.

Apple also patched seven more security weaknesses in the WebKit component, a browser engine developed by Apple that is widely utilized in its Safari web browser as well as all iOS web browsers:

  • CVE-2021-30934,
  • CVE-2021-30936,
  • CVE-2021-30951,
  • CVE-2021-30952,
  • CVE-2021-30953,
  • CVE-2021-30954,
  • CVE-2021-30984.

As explained by The Hacker News, these weaknesses could potentially result in a scenario where processing specially crafted web content may lead to arbitrary code execution.

Apple also fixed a couple of bugs in the Notes and Password Manager applications in iOS that may allow someone with physical access to an iOS device to access contacts from the lock screen and get saved passwords without requiring authentication.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE