Apple have issued patches to rectify three actively exploited zero-day vulnerabilities, as part of an iOS emergency update. Additionally, the company have added a security service called BlastDoor into iOS 14, that prevents message-based zero-click exploits through it’s iMessage service.
Bugs were identified in the software’s kernel and WebKit browser engine that are likely part of an exploit chain. These three recent vulnerabilities were noticed after a major software update in November had already fixed three other vulnerabilities that were being actively exploited.
BlastDoor was introduced after espionage attacks were found to be launched against businesses. The new method effectively filters any inbound messages to ensure that no malicious communications can be spread to compromise a recipient’s device. While these fixes have been issued to solve mobile-only issues, if your business uses Apple products there was potential for malware to be spread within devices linked via the Apple ecosystem. It is thought cyber criminals may have been actively taking advantage of the latest bugs.
Apple described the kernel flaw as, ‘a race condition’, that the update addresses, ‘with improved locking’. If exploited, the vulnerability allows a malicious application to escalate privileges and compromise a device after it’s user becomes a victim due to a malicious website leveraging the WebKit flaw. Devices affected by the zero-day vulnerabilities, as well as the fixes, include: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
Users are urged to ensure their devices are updated with the recent patches as soon as possible. This is good cyber hygiene and useful to employ across any device you use. If automatic updates can be switched on, you should do so, as it will ensure that any time a quick fix or patch is issued by a developer, your device(s) will download and apply it, keeping your device safe and secure.