Quote:Apple has patched three actively exploited zero-day security vulnerabilities in updates to iOS and macOS, one of which can allow an attacker to execute arbitrary code with kernel privileges.
 
Apple released two updates on Thursday: iOS 12.5.5, which patches three zero-days that affect older versions of iPhone and iPod devices, and Security Update 2021-006 Catalina for macOS Catalina, which patches one of same vulnerabilities, CVE-2021-30869, that also affects macOS.
 
The XNU kernel vulnerability — the discovery of which was attributed to Google researchers Erye Hernandez and Clemente Lecigne of Google Threat Analysis Group and Ian Beer of Google Project Zero — is a type-confusion issue that Apple addressed with “improved state handling,” according to its advisory.
 
“A malicious application may be able to execute arbitrary code with kernel privileges,” the company said. “Apple is aware of reports that an exploit for this issue exists in the wild.”
 
The flaw also affects the WebKit browser engine, which is likely why it caught the attention of the Google researchers. The issue affects macOS Catalina as well as iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).