Apple has released security updates to address a zero-day vulnerability said to have been exploited by hackers to compromise iPhones and Macs running older iOS and macOS versions.
The zero-day in question (CVE-2021-30869) resides in the XNU subsystem and can be used to run an arbitrary code with elevated privileges by triggering a type confusion error using a specially crafted program.
The vulnerability impacts iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) running iOS 12.5.5, and Macs running macOS Catalina.
As Shane Huntley, head of the Google Threat Analysis Group, explained, CVE-2021-30869 was used together with a N-day remote code execution targeting WebKit. He added that the more detailed information on the attack will be published after 30 days.
Apple also backported security updates for two zero-days (CVE-2021-30860 and CVE-2021-30858) patched earlier this month following the report from the University of Toronto's Citizen Lab about a previously unknown exploit called "FORCEDENTRY" (aka Megalodon), which was used to install the Pegasus spyware on phones of multiple activists.