Apple warns of arbitrary code execution zero-day being actively exploited on Macs

The Register - Fri Sep 24 05:59

Apple has warned iPhone and Mac users that it's aware of a zero-day bug that's being actively exploited.

The iGiant has thanked Google for spotting CVE-2021-30869, which the ad giant seems to have noticed because it also impacts the WebKit browser engine.

It's a nasty flaw, as it's in the XNU kernel at the heart of Apple's operating systems including macOS and iOS.

As Apple's advisory explains, that means "A malicious application may be able to execute arbitrary code with kernel privileges".

The fruit-themed company says the flaw existed thanks to a "type confusion issue" that was sorted out "with improved state handling".

The kicker: "Apple is aware of reports that an exploit for this issue exists in the wild."

The fix is Security Update 2021-006 Catalina, which Macs should be urging you about as you read this article – making this the rare occasion on which it might be best to put down The Register and move on to another task.

0day privilege escalation for macOS Catalina discovered in the wild by @eryeh https://t.co/yvCWPo45fL

We saw this used in conjunction with a N-day remote code execution targeting WebKit.

Thanks to Apple for getting patch out so quickly.

— Shane Huntley (@ShaneHuntley) September 23, 2021

The flaw's also present in older versions of iOS, and impacts the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad Mini 2, iPad Mini 3, and iPod Touch.

The fix is iOS 12.5.5, which Apple's advisory points out also addresses arbitrary code execution flaws in WebKit and CoreGraphics.

You know the drill, people. And while you're letting Apple's machines patch themselves up, consider that the company appears not to have fixed a similar remote code execution flaw in the macOS Finder, despite third-party researchers trying to fix it. ®