Emergency Updates for macOS, iOS and Safari (CVE-2021-30858, CVE-2021-30860)

Emergency Updates for macOS, iOS and Safari (CVE-2021-30858, CVE-2021-30860)

Apple announced new security updates to patch for two zero-day vulnerabilities (CVE-2021-30858, CVE-2021-30860) that exist in macOS, iOS/iPadOS and Safari web browser.

Overview

Apple announced new security updates to patch for two zero-day vulnerabilities (CVE-2021-30858, CVE-2021-30860) that exist in macOS, iOS/iPadOS and Safari web browser.

Description

Apple has released macOS Big Sur 11.6, iOS/iPadOS 14.8 and Safari 14.1.2 to fix two security flaws (CVEs), tracked as CVE-2021-30858 and CVE-2021-30860. According to the company, both of the vulnerabilities are zero-days that may have been exploited in the wild.

The first zero-day, CVE-2021-30858, is a Use After Free vulnerability that stems from improper memory handling in the WebKit. Due to the vulnerability, an attacker can conduct arbitrary code execution attacks on vulnerable products.

The second zero-day, CVE-2021-30860, is an Integer Overflow vulnerability that exist in the Apple’s image rendering library (CoreGraphics). Due to the vulnerability, an attacker can run arbitrary code on the vulnerable products via a maliciously crafted PDF.

Dubbed as FORCEDENTRY, CVE-2021-30860 has been reported by the Citizen Lab. The company announced that the FORCEDENTRY vulnerability was discovered while analyzing a phone infected with NSO Group’s Pegasus spyware. Citizen Lab also noted that they believed FORCEDENTRY has been exploited since at least February 2021.

Note that FORCEDENTRY does not exist in Safari web browser. However, iPhones/iPads (iOS/iPadOS versions prior to 14.8), Mac computers (prior to macOS Big Sur 11.6) and Apple watches (prior to watchOS 7.6.2) are affected from the vulnerability.

Impact

An attacker who successfully exploits the CVE-2021-30858 by causing memory corruption (Use After Free) in WebKit via a crafted HTML page, could remotely execute arbitrary code and gain full control of the system.

Impact Summary CVE-2021-30858

Category: Use After Free
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A

An attacker who successfully exploits the CVE-2021-30860 by causing Integer overflow in the memory via a maliciously crafted PDF, could execute arbitrary code and gain full control of the system.

Impact Summary CVE-2021-30860

Category: Integer Overflow
CVSS 3.1 Base Score: 7.8 High
CVSS 3.1 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Solution (Update)

To defend against possible attacks due to these zero-day vulnerabilities (CVE-2021-30858, CVE-2021-30860), Apple released macOS Big Sur 11.6, iOS/iPadOS 14.8 and Safari 14.1.2. Affected products needs to be updated to the latest versions immediately.

Quote by Matt Bishop
Quote by Matt Bishop

With efficiency, you focus in making the entire program faster. If there is one or two outlier cases, you typically don’t worry about them. But with security, it’s exactly the opposite. You secure the average but the outliers are really the ones you worry about. Because those are the ones that attackers look for.

Matt Bishop

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?