Apple recently released a CRITICAL security update to the iPhone operating system that includes fixes for three “zero-day” vulnerabilities that are already being targeted by criminals.  Unless you perform this update, if you visit a website that is set up to exploit these vulnerabilities (e.g., you click on a link often embedded in a ‘trusted’ e-mail), criminals can quickly operate malicious code within your iPhone’s safari browser software without your knowledge.

As detailed by ZD Net on January 25, 2021: Apple has released security updates for iOS to patch three zero-day vulnerabilities that were exploited in the wild. All three zero-days were reported to Apple by an anonymous researcher and patches are available as part of iOS 14.4.

The first zero-day impacts the iOS operating system kernel (CVE-2021-1782), and the other two were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871).

The iOS kernel bug was described as a race condition bug that can allow attackers to elevate privileges for their attack code.

The two WebKit zero-days were described as a “logic issue” that could allow remote attackers to execute their own malicious code inside users’ Safari browsers.

Security experts believe the three bugs are part of an exploit chain where users are lured to a malicious site that takes advantage of the WebKit bug to run code that later escalates its privileges to run system-level code and compromise the OS.

However, official details about the attacks where these vulnerabilities were used were not made public, as is typical with most Apple zero-day disclosures these days. Apple also declined to comment further.

This is yet another reason BW Cyber Services ALWAYS recommends you update your smart phone and computer Operating Systems whenever a software update is provided by the manufacturer.  

How BW Cyber Services Can Help

In response to the concerns outlined above, BW Cyber Services can help develop cyber programs designed to ensure mobile devices which process your organization’s information remain secure. Go here to learn more about our services. If you have any questions or would like more information, please contact BW Cyber Services at info@bwcyberservices.com.