Apple had already fixed three zero-day flaws in iOS last November, but the new update of its mobile OS fixes three more, actively exploited by attackers.
Apple released the iOS 14.4 update on 26th January 2021. The security patches accompanying this release fix three zero-day vulnerabilities that have been exploited by attackers. These vulnerabilities were reported to Apple by an anonymous researcher.
A Utilization chain
One of the impacts the kernel of the iOS operating system (CVE-2021-1782), and the other two are in the Web Kit browser engine (CVE-2021-1870 and CVE-2021- 1871).
The iOS kernel bug has been described as a race condition bug that can allow attackers to elevate the privileges of their malicious code. The two Web Kit zero-days have been described as a "logical glitch" that can allow remote attackers to execute their own malicious code in users' Safari browsers.
Security experts believe that all three bugs are part of a chain of exploitation: Users are lured to a malicious site that takes advantage of the Web Kit bug to execute code which then elevates its privileges to execute code at the system level and compromises the operating system.
Other zero-day vulnerabilities
However, official details of the attacks where these vulnerabilities were used have not been made public, as is the case with most of Apple's zero-day breach disclosures these days.
Today's three bug fixes come as Apple fixed another round of three other zero-day iOS flaws in November of last year. The vulnerabilities revealed in November were discovered by one of Google's security teams.
Another round of iOS zero-day flaws also came to light in December when Citizen Lab reported attacks on Al Jazeera staff and reporters. They were inadvertently fixed when Apple released iOS 14, a version of iOS with enhanced security features.