Apple has released a series of security updates to patch two critical vulnerabilities that the company says were “actively exploited” in the wild.
The following updates were released on Monday, September 13, 2021:
Each of these updates patches one or both of the following issues:
Component: CoreGraphics
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: An integer overflow was addressed with improved input validation.
Vulnerability ID: CVE-2021-30860, reported by The Citizen Lab
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
Vulnerability ID: CVE-2021-30858, reported by an anonymous researcher
Every one of Apple’s operating systems received both updates, with two exceptions:
It is unclear whether those vulnerabilities were simply not exploitable on those operating systems, or if there was some other reason why they were not patched. We have reached out to Apple for clarification and will update this article if Apple responds.
The bug that wasn’t patched for Mojave is reportedly one that was exploited by Pegasus spyware on iOS, as we reported on back in July:
Apple’s next versions of its flagship operating systems—iOS 15, iPadOS 15, and macOS Monterey—are due this fall.
Apple quietly announced the iOS 15 and iPadOS 15 release date, Monday, September 20, shortly after its September 14th “California Streaming” Apple Event which we covered here on The Mac Security Blog. However, Apple has not yet announced precisely when macOS Monterey will be released.
Apple typically only releases security updates for the current and two previous versions of the Mac operating system. This means that macOS Big Sur (aka macOS 11), macOS Catalina (macOS 10.15), and macOS Mojave (macOS 10.14) are currently supported. All older versions are no longer receiving any security updates whatsoever.
For optimal security and privacy, it’s best to stay on the latest version of macOS that your Mac supports, and use trusted protection tools—like Intego’s Mac Premium Bundle X9—to keep your Mac as safe as possible from viruses and cyber threats.
As for iOS (and iPadOS), Apple currently releases security updates for the current version, with occasional updates for a previous version. For now, this means that iOS 14 and iPadOS 14 get all security updates, and iOS 12 (the last version that will run on older mobile devices) occasionally gets updates to resolve some—but not all—vulnerabilities.
After iOS 15 and iPadOS 15 are released next Monday, Apple has pre-committed to continue releasing updates for iOS 14 and iPadOS 14. This marks a departure from Apple’s past practices, especially since versions 14 and 15 support the same hardware. However, it remains to be seen whether there will be a similar relationship as currently exists between 14 and 12 (where the older version doesn’t receive patches for every security flaw). It also remains to be seen whether Apple will continue to release occasional iOS 12 updates to offer continued support for older hardware that cannot run the latest iOS or iPadOS.
Be sure to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog to stay up to date on the most important Apple, security, and privacy news. Follow Intego on your favorite social media channels to ensure you never miss an update: Twitter, Facebook, LinkedIn, Instagram, and YouTube.