Apple has released patches that fix security flaws in the system software running on its iPhones, iPads, Apple Watches, and Macs.
Apple recommends that users download these updates as soon as possible as attackers might have actively exploited these vulnerabilities.
The first fix is for a flaw in the CoreGraphics component on all four operating systems. It allows an attacker to send a maliciously crafted PDF to a user and execute arbitrary code on their device.
The vulnerability was discovered by The Citizen Lab, which found it was used to deploy updated Pegasus spyware to a Bahraini activist’s iPhone in February 2021.
The Citizen Lab found the new exploit used a “zero-click” attack that does not require any action on the user’s part.
It was dubbed ForcedEntry due to its ability to bypass Apple’s BlastDoor security.
In response to the disclosure, an Apple spokesperson said its security would be improved in the upcoming iOS 15 release, which is expected to launch this month or in October.
It now appears the company deemed the threat serious enough to justify a patch just a day before announcing its new iPhone and Apple Watch.
Apple said it fixed the issue by addressing an integer overflow with improved input validation.
The second flaw was contained in the WebKit component on iOS, iPadOS, and macOS, allowing maliciously crafted web content to lead to arbitrary code execution.
This issue was disclosed by an anonymous researcher and carries Common Vulnerabilities and Exposure (CVE) number 2021-30858.
Devices that support the two updates are as follows:
- iPhone 6s and later
- iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, iPod Touch 7th generation
- Apple Watch Series 3 and later
- Mac systems that can run macOS Big Sur