Apple has released security updates to fix vulnerabilities in iOS 14.5, macOS Big Sur 11.3, Safari 14.1, tvOS 14.5, watchOS 7.4, Xcode 12.5 and other products.
A hacker could exploit some of these vulnerabilities to take control of affected devices.
iOS 14.5 and iPadOS 14.5
The latest iOS 14.5 and iPadOS 14.5 security update released on April 26 addressed 50 vulnerabilities. Seven of these could result in arbitrary code execution:
- CVE-2021-1881: Out-of-bounds read in Font Parser
- CVE-2021-1885: Out-of-bounds read in ImageIO
- CVE-2021-30653, CVE-2021-1843: Improved checks in ImageIO
- CVE-2021-1858: Out-of-bounds write in ImageIO
- CVE-2021-1817: Memory corruption in WebKit
- CVE-2021-30661: A use after free issue in WebKit Storage.
Apple also fixed a Password Manager vulnerability CVE-2021-1865 where user’s password may be visible on screen. The flaw was fixed by obscuring passwords in screenshots via improved logic.
Moreover, another patched vulnerability CVE-2021-1813 in Foundation could allow a malicious application to gain root privileges.
The update is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) models.
Apple released macOS Big Sur 11.3 security update on April 26 that addressed a whopping 60 vulnerabilities. Many of those same vulnerabilities were addressed in iOS updates previously mentioned.
One of the patched vulnerabilities CVE-2021–30657 in System Preferences could allow a malicious application to bypass Gatekeeper checks.
The flaw was previously discovered by security researcher Cedric Owens, who also wrote about it in a blog post on Medium. Owens warned the vulnerability “allows an attacker to very easily craft a macOS payload that is not checked by Gatekeeper.”
Security researchers from Jamf also uncovered a new strain of malware dubbed Shlayer that abuses CVE-2021-30657 and bypasses some of macOS built-in protections to include Gatekeeper, Notarization and File Quarantine.
iCloud for Windows 12.3
The Apple iCloud for Windows 12.3 security update fixed four vulnerabilities (CVE-2021-1857, CVE-2021-1811, CVE-2021-1825 and CVE-2020-7463).
The update is available for systems running Windows 10 and later via the Microsoft Store.
The Apple Safari 14.1 security update fixed just two vulnerabilities – an input validation issue (CVE-2021-1825) and use after free issue (CVE-2020-7463).
The update is available for systems running macOS Catalina and macOS Mojave.
The tvOS 14.5 security update addressed 35 vulnerabilities in total, 11 of those that could lead to arbitrary code execution.
The update is available for Apple TV 4K and Apple TV HD models.
The latest Apple Watch 7.4 security update addressed 38 vulnerabilities that impact Apple Watch Series 3 and later models.
The Apple Xcode 12.5 security update patched just one vulnerability CVE-2021-21300 that could allow a remote attacker to cause arbitrary code execution.
This update is available for macOS Big Sur 11 and later.
Updated on April 28, 2021: This article was updated to include new revelations on macOS CVE-2021–30657 that could allow a malicious application to bypass Gatekeeper checks. Also added was recent research on new Shlayer malware strain that also abuses same vulnerability.
- XCSSET malware now targets Apple’s macOS 11 and M1-based Macs
- Apple iOS 14.4.2 security update fixes zero-day vulnerability exploited in the wild
- North Korea threat actors use AppleJeus malware to steal cryptocurrency
- Apple releases iOS 14.4 with fixes for 3 zero-days exploited in wild (and other security updates)