On Monday Apple announced that they had released the security patches for various vulnerabilities in iOS, macOS, tvOS and watchOS such as a remote jailbreak attack chain and a number of significant flaws in the Kernel and Safari web browser that were initially exposed at the Tianfu Cup in China two months ago.
The vulnerability identified as CVE-2021-30955, might have allowed a malicious programme to run arbitrary code with kernel privileges. Apple says it fixed the problem by implementing “better state handling.” MacOS devices are also affected by the issue.
Kunlun Lab’s CEO tweeted the post as “We tried [to] use the kernel bug CVE-2021-30955 to build our remote jailbreak chain but failed to complete on time. The Pangu Team used a set of kernel vulnerabilities to break into an iPhone 13 Pro running iOS 15 during the Tianfu hacking competition, earning the white prize“.
A total of five Kernel and four IOMobileFrameBuffer (a kernel extension for controlling the screen framebuffer) weaknesses have been fixed with the current upgrades, in addition to CVE-2021-30955 .
·
CVE-2021-30927 and CVE-2021-30980: A
use-after-free flaw that could allow a malicious programme to execute arbitrary
code with kernel privileges.
·
CVE-2021-30937: A memory corruption flaw that
could allow a malicious programme to execute arbitrary code with kernel
privileges.
·
CVE-2021-30949: A memory corruption flaw that
could allow a malicious programme to execute arbitrary code with kernel
privileges.
·
CVE-2021-30993: A buffer overflow vulnerability
that could allow a privileged network attacker to execute arbitrary code.
·
CVE-2021-30983: A buffer overflow vulnerability
that could allow a user to execute arbitrary code with kernel privileges.
·
CVE-2021-30985: An out-of-bounds write
vulnerability that could allow a malicious programme to execute arbitrary code
with kernel privileges.
·
CVE-2021-30991: An out-of-bounds read
vulnerability that could lead to a remote code execution.
Seven security holes in the WebKit component were also corrected — CVE-2021-30934, CVE-2021-30936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954, and CVE-2021-30984t — that may lead to arbitrary code execution if specially crafted web content was processed.
Finally the researchers concluded that ,”Apple also fixed a couple of bugs in the Notes and Password Manager applications in iOS that may allow someone with physical access to an iOS device to access contacts from the lock screen and get passwords without requiring verification. Last but not least, a FaceTime flaw has been fixed, which might have otherwise exposed sensitive user information through Live Photos metadata.”
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 