Apple has released a security update to close three zero-day vulnerabilities: CVE-2021-1780, CVE-2021-1781, and CVE-2021-1782. Because Apple believes unnamed cybercriminals are already exploiting those vulnerabilities, the company advises all iOS and iPadOS users to update their operating systems.
CVE-2021-1780 and CVE-2021-1781 are vulnerabilities in the WebKit browser engine, which the default browser, Safari, uses. According to Apple, both can lead to arbitrary code execution on the affected device.
Users of other browsers still need this update. Even if the system contains another browser, other applications may call the Safari engine for in-app browsing. The very presence of a vulnerable engine in the system is dangerous.
CVE-2021-1782 is a vulnerability in the system kernel. Apple describes it as a race condition error that someone can potentially use to elevate the privileges of a process.
According to the information available, unknown actors may already be using the vulnerabilities. They may use the three vulnerabilities as an exploit chain, but with investigation ongoing, and for users’ protection, Apple plans to delay the release of more details. The CVE database also lacks accurate information at present.
How to protect your iOS devices
- Update any iPhones and iPhones that support it to iOS/iPadOS 14.4 as soon as possible. According to Apple’s website, the update is available for the iPhone 6s and newer, iPad Air 2 and newer, iPad mini 4 and newer, and the seventh-generation iPod touch.
- If your device is older and does not support version 14.4 of iOS or iPadOS, install another browser as an alternative to Safari, and set it as the default browser. For example, starting with iOS 11, you can use Firefox or DuckDuckGo, and starting with iOS 12, you can also opt for Google Chrome.