Saturday, September 18, 2021

Apple emergency zero-day repair for iPhones and Macs – get it now! – Bare Safety

You might be forgiven for thinking that July 2021 was Microsoft’s month for cybersecurity vulnerabilities.

First there was PrintNightmare in several guises, followed by HiveNightmare (an entirely unrelated bug that nevertheless attracted the “Nightmare” moniker), followed by PetitPotam (which went down the cute aquatic mammal naming path).

Now, however, it’s Apple’s turn to be in the patch-right-now spotlight, with a somewhat under-announced emergency zero-day fix, just a few days after the company’s last, and much broader, security update.

This one doesn’t have a fancy name, but instead goes simply by CVE-2021-30807, and was reported, according to Apple “by an anonymous researcher”.

Indeed, all we know about it, and all Apple has said so far, is that:

An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

If the crooks knew about it first, that makes it a zero-day bug, the jargon term used when the patch came out after the Bad Guys had a head start, rather than before the Bad Guys figured it out for themselves.

(The name zero-day or 0-day denotes that there were zero days during which even the keenest and earliest adopters of official updates could have patched in advance.)