With yesterday’s release of iOS 14.4 and all other operating systems, Apple has included its typical bug fixes. However, Apple acknowledges that iOS 14.4 fixes three security bugs that the company says “could have been actively exploited.” This is the first time Apple has explicitly acknowledged closing a security flaw that could have been exploited in a malicious attack.
Safari and Kernel bugs have been fixed by iOS 14.4
In the iOS 14.4 security document here, you can see the description of the three bugs fixed with the update. They are as follows:
CVE-2021-1782: a malicious application can gain access to elevated privileges in the Kernel.
CVE-2021-1870 and CVE-2021-1871: a remote attacker can cause the execution of arbitrary execution code in Webkit.
The Kernel is a fundamental part of the operating system that allows the rest of the software to access the hardware. Webkit is the browser engine developed by Apple for Safari, which is used on both macOS and iOS. Often, a hacker will use multiple bugs in a chain to gain access to a device. In this case, we have two “keys” to get in and a “door” to access with them.
It is unknown if it has been used against one or more users or if it has been exploited on a large scale. However, the security note itself states that “additional details will be available soon”.
An anonymous researcher could be rewarded
In the security notes for a new software release, Apple usually indicates the person or team that found it. If no direct attribution appears, it is assumed that it was fixed by their own team. But in this case, the three bugs are attributed to “an anonymous researcher”.
In the world of hardware and software security, it is common practice to publicize such bugs publicly, once the company has been contacted and the bugs have been fixed. In this way, you gain relevance and prestige among peers, as if it were a new resume line. This is why the anonymity of the person or group that made the three errors known is even more striking.
It is worth remembering that each update fixes bugs, in some cases major ones, that help to protect the security of our devices.
It is not the first time that security bugs that have been exploited maliciously have been discovered. One of the most notorious cases was Pegasus, a set of three bugs that also allowed access to the Kernel. They were used by the United Arab Emirates to spy on a political dissident in the country, being fixed by Apple in summer 2016.
Apple launched a rewards program some time ago, where it awards monetary prizes to those who manage to crack the security of its devices. Prizes range from 100,000 USD for bypassing the lock screen, to 1 million USD for managing to execute code in the Kernel without clicks.
Of course, the anonymous tipster could well pocket a few hundred thousand dollars for those three bugs. We’ll see if we find out more about this in the coming weeks.