Zero-Day: Apple and Chrome issue urgent security updates

Apple and Chrome are calling for users to urgently upgrade their devices and browsers to address critical security threats.

Zero-Day: Apple and Chrome issue urgent security updates
Continue reading
Read the article

Apple has recently released important iOS 14.8, macOS Big Sur 11.6, iPadOS 14.8 and watchOS 7.2.6, updates just days before the rollout of iOS 15. The tech giant is urging customers to update their devices ASAP to address two vulnerabilities that could already be affecting some devices.

The updates are minor and will not add any new features to devices, but will fix up to two security issues, one zero-day threat affecting the CoreGraphics framework in iOS, iPad OS and macOS, and the other affecting Apple’s WebKit browser engine.

Apple warns of two security vulnerabilities

According toForbes, Apple’s new iOS update fixes a ‘vulnerability in Apple's CoreGraphics framework, where processing a maliciously crafted PDF may allow an attacker to execute code.’

Independent researchers have warned that the zero-click PDF file, reported by ethical hacker Citizen Lab, could allow for malware to be downloaded onto your tech even if the file was left unopened. Citizen Lab said the threat has been operating since February and has also been linked to Pegasus spyware. The Washington Post reported that the NSO spyware has already been misused to hack the phones of 37 journalists and activists.

The second security issue addressed is in the Apple WebKit browser, where ‘processing malicious web content could allow an adversary to execute code.’

Apple Support site provided a rundown of the updates for the CoreGraphics framework explaining: ‘Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).’

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

‘Description: An integer overflow was addressed with improved input validation.’

The site also addressed updates for the WebKit browser engine: ‘Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).’

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

‘Description: A use after free issue was addressed with improved memory management.’

If your device hasn’t automatically alerted you of the update, you can update your device manually by going to ‘Settings’ - ‘General’ and clicking on ‘Software Update.’ For Macs, the process is slightly different, just go into your ‘System Preferences’ menu and select ‘Software Update.’

Google Chrome releases new update, addressing 11 security issues

Google Chrome users are also being urged to update their browser to address a total of 11 security issues, two of which are described as active zero-days in the wild.

The two tracked zero-day bugs labelled CVE-2021-30632 and CVE-2021-30633 were reported anonymously to the platform on the 8th of September. The issues involve an 'out of bounds write in V8' JavaScript engine and a 'use after free in Indexed DB API,' respectively.

Google said it is ‘aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild.’ However, the company did not release any details on how, when or where the breaches occurred.

Chrome revealed in a blog post that Windows, Mac, and Linux users will be able to download the latest 93.0.4577.82 update 'over the coming days/weeks.'

What is a zero-day vulnerability?

A zero-day vulnerability is a security flaw that isn’t identified until after it has already been exploited. As zero-day breaches are often newly discovered, patches and official updates aren’t immediately available. The term zero-day then refers to developers having zero days to fix the problem as the security issue could already be circling.