Apple has released security updates for the following products in response to disclosures from Citizen Lab, and an anonymous researcher. These vulnerabilities are reported to have been exploited in the wild and include a zero-click exploit in iMessage that can lead to arbitrary code execution. While targeted exploits using NSO group's spyware were discovered in the wild, the Office of Information Security (OIS) does not believe that this would have broadly impacted Penn users. Now that the information has been made public, OIS recommends that LSPs patch the following systems as soon as possible. End users should check with their LSPs before patching:
- macOS Big Sur (11.x)
- MacOS Catalina (10.15.x)
- MacOS Mojave (10.14.x)
- iOS 14.x
- iPadOS 14.x
- WatchOS 7.6
- Safari 14.1
As always, if you have any questions or concerns, please reach out to security@isc.upenn.edu.
Notes:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
macOS Big Sur 11.6 [1]
Released September 13, 2021
CoreGraphics
Available for: macOS Big Sur
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: An integer overflow was addressed with improved input validation.
CVE-2021-30860: The Citizen Lab
WebKit
Available for: macOS Big Sur
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30858: an anonymous researcher
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Security Update 2021-005 Catalina, WatchOS 7.6.2, iOS 14.8, iPadOS 14.8 [2,4,5]
Released September 13, 2021
CoreGraphics
Available for: macOS Catalina, WatchOS 7.6
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: An integer overflow was addressed with improved input validation.
CVE-2021-30860: The Citizen Lab
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Safari 14.1.2* [3]
Released September 13, 2021
WebKit
Available for: macOS Catalina, macOS Mojave, iOS 14.8, iPadOS 14.8
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30858: an anonymous researcher
References:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[1] https://support.apple.com/en-us/HT212804
[2] https://support.apple.com/en-us/HT212805
[3] https://support.apple.com/en-us/HT212808
[4] https://support.apple.com/en-us/HT212806
[5] https://support.apple.com/en-us/HT212807
[6] https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/