Apple has released today security updates for iOS to patch three zero-day vulnerabilities that were exploited in the wild.
All three zero-days were reported to Apple by an anonymous researcher and patches are available as part of iOS 14.4.
The first zero-day impacts the iOS operating system kernel (CVE-2021-1782), and the other two were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871).
The iOS kernel bug was described as a race condition bug that can allow attackers to elevate privileges for their attack code.
The two WebKit zero-days were described as a “logic issue” that could allow remote attackers to execute their own malicious code inside users’ Safari browsers.
Security experts believe the three bugs are part of an exploit chain where users are lured to a malicious site that takes advantage of the WebKit bug to run code that later escalates its privileges to run system-level code and compromise the OS.
However, official details about the attacks where these vulnerabilities were used were not made public, as is typical with most Apple zero-day disclosures these days. Apple also declined to comment further.
The three bugs today come after Apple patched another set of three iOS zero-days in November last year. The November zero-days were discovered by one of Google’s security teams.
News of another set of iOS zero-days also came to light in December when Citizen Lab reported attacks against Al Jazeera staff and reporters earlier in 2020. These iOS zero-days were inadvertently patched when Apple released iOS 14, an iOS version with improved security features.