Kaspersky comment: IOS 0-days vulnerabilities discovered
May 2021 by
This week Apple reported that there are currently two iOS 0-days that allow hackers to compromise fully patched devices. This comes a week after Apple issued its biggest iOS and iPadOS update since last September’s release of version 14.0.
In response to this ongoing vulnerability, please find a comment from Boris Larin, security researcher at Kaspersky’s GReAT team, which details how hackers are currently exploiting the vulnerabilities.
Boris Larin, security researcher at Kaspersky’s GReAT:
“CVE-2021-30663 and CVE-2021-30665 are vulnerabilities in Webkit. It’s a browser engine, which is used in Apple’s Safari and other browsers. Apple released updates that fix these vulnerabilities on iOS and macOS devices. It was reported that at the moment the vulnerabilities were discovered, they had been actively used by cybercriminals. However, right now we do not have information about who the attackers are and what their targets were. Usually browser exploits are delivered to victims via targeted phishing (messages with a link to exploit) or via watering hole attacks, in which a website contains a malicious web script and all web site visitors with a suitable web browser become victims of the exploit. After successful execution of the web browser exploit, the attackers can execute code in the browser’s process. Usually web browser exploits are used with other exploits to elevate privileges and escape the sandbox. After escaping the sandbox, the actors gain full control over the victims’ device. At the moment, it is not clear which OS - macOS or iOS was targeted in discovered attacks.”