CSW Discovers its 50th Zero Day!

July: Apple Patches 52 Security Vulnerabilities

Posted on Aug 9, 2021 | By Pavithra Shankar

Apple had released security patches to address 52 unique vulnerabilities in July, which includes two zero-day exploits. We analyzed these weaknesses and spotlighted the most important vulnerabilities that ought to be fixed on priority.

Overview

The 52 vulnerabilities that were patched in July include

  • 7 CVEs classified as Remote Code Execution bugs

  • 9 CVEs have Privilege Escalation capabilities

  • 15 CVEs linked to Buffer Overflow

  • 2 CVEs with Denial of Service

  • 14 CVEs are Arbitrary Code Execution

Interestingly, CISA had issued three alerts this July urging all Apple users to address and update the recently patched security vulnerabilities in multiple products.

Zero-Day Vulnerabilities

This July, Apple released an update for a dangerous new zero-day bug (CVE-2021-30807) that exists in iOS 14.7. This vulnerability is described as a memory corruption issue that determines how an application manager controls the display of a device. For instance, any malware that resides in an application can leverage and take complete control of the device.

CVE-2021-30807 is considered to be the thirteenth zero-day flaw covered by Apple in 2021. Given the public availability of a proof-of-concept (PoC) exploit, users should upgrade their devices to the most recent version as soon as possible to minimize the risk associated with the issue.

 

Another zero-day vulnerability in iOS tracked as CVE-2021-30800 was fixed. This vulnerability is named “WIFIDemon” and is considered to be a severe bug that could lead to denial of service or arbitrary code execution. Therefore, we recommend you immediately update your iOS device to iOS 14.7 to secure it from WiFiDemon attacks.

It's also a zero-click vulnerability that allows a threat actor to infect a device without requiring any user input, although it does require the setting to be enabled to join Wi-Fi networks automatically.

Additionally, two more zero-day (CVE-2021-30761, CVE-2021-30762) vulnerabilities that were patched in early June received a second patch this July. These two vulnerabilities are found in Webkit Storage that leads to arbitrary code execution.

Old Vulnerabilities

We have seven old vulnerabilities patched in Apple this July, ranging from the year 2018 to 2020.

  • All of these vulnerabilities have been rated critical and accredited with a CVSS v3 score of 9.1 to 9.8.

  • 6 CVEs are classified as Buffer Overflow bugs and one is of Remote Code Execution.

  • Of these, 6 CVEs are categorized under the 2021 CWE Top 25 Most Dangerous Software Weaknesses published by MITRE.

Table: Apple July 2021 Patches 

On 27 July 2021, CISA issued an alert urging the users to address the multiple vulnerabilities in macOS Big Sur 11.5.1, iOS 14.7.1, and iPadOS 14.7.1. Therefore, all Apple users can to continue to install the latest updates manually, if the automatic update option is disabled.

Test your defense to know how secure you are…