Apple announced the release of an emergency update in order to address some recently detected security flaws, including a couple errors that can be exploited remotely. Users need to upgrade to iOS 14.7 on their iPhone or iPad devices. Nonetheless, patches do not include a fix for a flaw that allows the installation of Pegasus spyware on Apple devices. The most recent reports indicate that threat actors abuse a zero-day vulnerability in the Apple iMessage feature in order to install the infamous spyware on the exposed devices.
This emergency update addresses a total of 40 flaws, of which 37 are iPhone-only. The most severe of these vulnerabilities would allow remote threat actors to execute arbitrary code with root user privileges on the affected devices.
As of now Apple considers that there are no reports of active exploitation, although the risk to government agencies is considered critical, so it is necessary to update as soon as possible.
Some of the major security patches address flaws that reside in WebKit, the Safari browser engine. All four vulnerabilities (CVE-2021-30758, CVE-2021-30795, CVE-2027-30797, and CVE-2021-30799) exist due to type confusion errors, use-after-free errors, and memory corruption flaws.
Apple’s report includes a list of the 40 flaws addressed in this emergency update.
Beside the updates, Apple issued a list of security recommendations to mitigate exploitation risk, which includes:
- Run any tool as non privileged user
- Avoid downloading files or applications from unknown sources
- Do not visit platforms of suspicious appearance or dubious reputation
While the update was released earlier this week, the company kept technical details about these flaws undisclosed due to the risk of latent exploitation. It should be remembered that this is a standardized technique in the cybersecurity community to prevent the massive exploitation of zero-day flaws.
For the cybersecurity community, this is a network flag that Apple should seriously consider and not just fix the flaws detected to iMessage. Dirk Schrader, cybersecurity specialist, believes: “No device or operating system is 100% free from failures; this is a clear example that Apple needs to rethink its current approach to security, which researchers, manufacturers and users often consider more secure than their counterparts.”
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.