Apple has released urgent security updates for macOS and iOS that should be installed as soon as possible. Security researchers at Google had previously discovered a zero-day vulnerability (CVE-2021-30869) in the XNU kernel, the heart of both operating systems. A malicious app can misuse the vulnerability to execute any malicious code with kernel rights – in other words: to completely compromise the system. The vulnerability is particularly critical because it is zero-day. In other words, by the time Google’s researchers discovered it, it was already being used for attacks. Apple itself warns of this – there are reports that the loophole is already being exploited “in the wild”.
Macs with macOS Catalina (version 10.15) should already offer their users the security update 2021-006, which closes the gap. For iOS, older versions of the operating system are also affected.
The following devices are vulnerable: iPhone 5s, 6, 6 Plus as well as iPad Air, Mini 2, Mini 3 and the iPod Touch. The loophole will be fixed there with an update to iOS 12.5.5; it also fixes a notorious bug that is exploited by the Pegasus spyware for older devices, so it is doubly important. Die Updates should be installed as soon as possible, as attacks against vulnerable devices are obviously already in progress. Security researchers suspect that the vulnerability is being misused for attacks on the web browser component WebKit, which is used in many apps and in macOS and iOS itself.
at the vulnerability This is a memory handling problem in which the kernel does not correctly check what type of data is being written to the memory and thus attackers can execute their malicious code. According to Apple, the update improves the health check in this area, thus preventing memory fragments from running that should not be run.
It remains unclear whether the XNU bug also affects current macOS and iOS versions. Apple makes in the existing security release notes for iOS 15 and iPadOS 15 as iOS 14.8 and macOS Big Sur 11.6 no information on this so far. However, to the annoyance of many security experts, the group now tends to come out with fixed bugs bit by bit. In iOS 14.8, for example, additional patched gaps – including critical ones – were only added one week after the release.
Gap in Finder remains unpatched
Independently of the zero-day exploit in the XNU kernel, there is currently another one Gap in the file manager Finder of macOS. The Finder vulnerability is also a vulnerability that attackers can use to remotely execute any malicious code. Apple said it had closed the loophole with macOS Big Sur (version 11.6), but the fix does not seem to have been far-reaching enough that Apple’s desktop operating system can still be attacked via this loophole.
In order to abuse the vulnerability, an attacker creates a file with the extension .inetloc and adds malicious code to it. Such files can be attached to e-mails, for example, and may then be automatically executed without warning if the victim clicks on them. If the file is manually downloaded and double-clicked, the malicious code is also executed. The macOS security functions Quarantine and Gatekeeper should actually prevent this behavior of the operating system, but the vulnerability ensures that the malicious code is executed without problems.
According to the security researcher who discovered the vulnerability, Apple had fixed the problem starting with macOS Big Sur by allowing files of this type to be used under certain circumstances to be able to code via a
file:// Loading URL prevents. However, Apple was apparently a little too gullible and forgot to block other spellings of “file” as well. Which means that the hack still works if you have code or programs with a URL with the prefix
FiLe:// loads. Since Apple’s patch can be bypassed with this simple trick, macOS is still vulnerable to attacks with .inetloc files.