This week Apple reported that there are currently two iOS 0-days that allow hackers to compromise fully patched devices. This comes a week after Apple issued its biggest iOS and iPadOS update since last September’s release of version 14.0.
<p>CVE-2021-30663 and CVE-2021-30665 are vulnerabilities in Webkit. It\’s a browser engine, which is used in Apple’s Safari and other browsers. Apple released updates that fix these vulnerabilities on iOS and macOS devices. It was reported that at the moment the vulnerabilities were discovered, they had been actively used by cybercriminals. However, right now we do not have information about who the attackers are and what their targets were. Usually, browser exploits are delivered to victims via targeted phishing (messages with a link to exploit) or via watering hole attacks, in which a website contains a malicious web script, and all website visitors with a suitable web browser become victims of the exploit.</p> <p> </p> <p>After successful execution of the web browser exploit, the attackers can execute code in the browser’s process. Usually, web browser exploits are used with other exploits to elevate privileges and escape the sandbox. After escaping the sandbox, the actors gain full control over the victims’ device. At the moment, it is not clear which OS – macOS or iOS was targeted in discovered attacks.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics