⋮    ⋮  

iOS 14.7.1 Addresses a Zero-Day Bug as Apple Continues Patching Critical Security Flaws Since the “Pegasus” Spyware Revelations

Submit

Apple has today released iOS 14.7.1 and iPadOS 14.7.1 to the public after last week's iOS 14.7 release. Today's update patches a security vulnerability that, Apple says, "may have been" exploited in the wild.

"An application may be able to execute arbitrary code with kernel privileges," the iPhone maker explains. "Apple is aware of a report that this issue may have been actively exploited." The company added that the memory corruption issue (tracked as CVE-2021-30807) has been resolved by improving memory handling. The security bug impacts iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Complete iPhone 13 Pro Teardown Shows How Apple Reduced Face ID Camera, but Third-Party Repairs Will Be Discouraged

macOS Big Sur 11.5.1 is also bringing this security patch to Macs. Users are strongly recommended to update their devices to the latest macOS 11.5.1 and iOS 14.7.1 to patch these flaws.

iOS 14.7 had addressed a long list of security bugs

Last week, Apple released iOS 14.7 and iPadOS 14.7 to the public, patching a long list of security vulnerabilities. This update was delivered after a collaborative investigation revealed how the Israeli spyware, Pegasus, was routinely targeting iPhones - even the latest ones running the latest versions of iOS.

Here are the complete security notes carrying the list of security flaws that were fixed with the release of iOS 14.7 and iPadOS 14.7 last week:

ActionKit

Impact: A shortcut may be able to bypass Internet permission requirements

Description: An input validation issue was addressed with improved input validation.

Audio

Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution

Description: This issue was addressed with improved checks.

AVEVideoEncoder

Impact: An application may be able to execute arbitrary code with kernel privileges

Description: A memory corruption issue was addressed with improved state management.

CoreAudio

Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution

Description: A memory corruption issue was addressed with improved state management.

CoreAudio

Impact: Playing a malicious audio file may lead to an unexpected application termination

Description: A logic issue was addressed with improved validation.

CoreGraphics

Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution

Description: A race condition was addressed with improved state handling.

CoreText

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: An out-of-bounds read was addressed with improved input validation.

Crash Reporter

Impact: A malicious application may be able to gain root privileges

Description: A logic issue was addressed with improved validation.

CVMS

Impact: A malicious application may be able to gain root privileges

Description: An out-of-bounds write issue was addressed with improved bounds checking.

dyld

Impact: A sandboxed process may be able to circumvent sandbox restrictions

Description: A logic issue was addressed with improved validation.

Find My

Impact: A malicious application may be able to access Find My data

Description: A permissions issue was addressed with improved validation.

FontParser

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: An integer overflow was addressed through improved input validation.

FontParser

Impact: Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents

Description: This issue was addressed with improved checks.

FontParser

Impact: Processing a maliciously crafted font file may lead to arbitrary code execution

Description: A stack overflow was addressed with improved input validation.

Identity Service

Impact: A malicious application may be able to bypass code signing checks

Description: An issue in code signature validation was addressed with improved checks.

Image Processing

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

ImageIO

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: This issue was addressed with improved checks.

ImageIO

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: A buffer overflow was addressed with improved bounds checking.

Kernel

Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: A logic issue was addressed with improved state management.

Kernel

Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations

Description: A logic issue was addressed with improved validation.

libxml2

Impact: A remote attacker may be able to cause arbitrary code execution

Description: This issue was addressed with improved checks.

Measure

Impact: Multiple issues in libwebp

Description: Multiple issues were addressed by updating to version 1.2.0.

CVE-2018-25010

CVE-2018-25011

CVE-2018-25014

CVE-2020-36328

CVE-2020-36329

CVE-2020-36330

CVE-2020-36331

Model I/O

Impact: Processing a maliciously crafted image may lead to a denial of service

Description: A logic issue was addressed with improved validation.

Model I/O

Impact: Processing a maliciously crafted image may lead to arbitrary code execution

Description: An out-of-bounds write was addressed with improved input validation.

Model I/O

Impact: Processing a maliciously crafted file may disclose user information

Description: An out-of-bounds read was addressed with improved bounds checking.

TCC

Impact: A malicious application may be able to bypass certain Privacy preferences

Description: A logic issue was addressed with improved state management.

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A type confusion issue was addressed with improved state handling.

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: A use after free issue was addressed with improved memory management.

WebKit

Impact: Processing maliciously crafted web content may lead to code execution

Description: This issue was addressed with improved checks.

WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution

Description: Multiple memory corruption issues were addressed with improved memory handling.

Wi-Fi

Impact: Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution

Description: This issue was addressed with improved checks.

Security researchers, human rights activists, and journalists had called on Apple to do more to improve iOS security, especially since the outside security community has had a difficult time reaching out to or working with Apple to address potential security problems. It is likely that Apple will finally start listening to security researchers and will be more aggressive with patching up security vulnerabilities before they end up weaponizing spyware.

Products mentioned in this post

iPad Air
iPad Air
USD 539
iPad Pro
iPad Pro
 
iPhone 6s
iPhone 6s
USD 153.97

The links above are affiliate links. As an Amazon Associate, Wccftech.com may earn from qualifying purchases.

Submit