Apple releases details of security fixes in iOS 14.7 and iPadOS 14.7

What you need to know

  • Apple has released the details of its security fixes in iOS 14.7 and iPadOS 14.7.
  • The fixes include ones for Find My and WebKit.

Apple released a ton of security fixes for iOS and iPadOS.

Earlier today, Apple released iPadOS 14.7 to the public after releasing iOS 14.7 earlier this week.

In addition to those software releases, Apple has published the full list of the security fixes it has released as part of those software updates. The updates include security fixes to both Find My and WebKit.

You can check out the full list of security fixes below or on the Apple Support website:

ActionKit

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A shortcut may be able to bypass Internet permission requirements
  • Description: An input validation issue was addressed with improved input validation.
  • CVE-2021-30763: Zachary Keffaber (@QuickUpdate5)

Audio

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution
  • Description: This issue was addressed with improved checks.
  • CVE-2021-30781: tr3e

AVEVideoEncoder

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: An application may be able to execute arbitrary code with kernel privileges
  • Description: A memory corruption issue was addressed with improved state management.
  • CVE-2021-30748: George Nosenko

CoreAudio

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted audio file may lead to arbitrary code execution
  • Description: A memory corruption issue was addressed with improved state management.
  • CVE-2021-30775: JunDong Xie of Ant Security Light-Year Lab

CoreAudio

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Playing a malicious audio file may lead to an unexpected application termination
  • Description: A logic issue was addressed with improved validation.
  • CVE-2021-30776: JunDong Xie of Ant Security Light-Year Lab

CoreGraphics

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
  • Description: A race condition was addressed with improved state handling.
  • CVE-2021-30786: ryuzaki

CoreText

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
  • Description: An out-of-bounds read was addressed with improved input validation.
  • CVE-2021-30789: Mickey Jin (@patch1t) of Trend Micro, Sunglin of Knownsec 404 team

Crash Reporter

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A malicious application may be able to gain root privileges
  • Description: A logic issue was addressed with improved validation.
  • CVE-2021-30774: Yizhuo Wang of Group of Software Security In Progress (G.O.S.S.I.P) at Shanghai Jiao Tong University

CVMS

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A malicious application may be able to gain root privileges
  • Description: An out-of-bounds write issue was addressed with improved bounds checking.
  • CVE-2021-30780: Tim Michaud(@TimGMichaud) of Zoom Video Communications

dyld

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A sandboxed process may be able to circumvent sandbox restrictions
  • Description: A logic issue was addressed with improved validation.
  • CVE-2021-30768: Linus Henze (pinauten.de)

Find My

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A malicious application may be able to access Find My data
  • Description: A permissions issue was addressed with improved validation.
  • CVE-2021-30804: Csaba Fitzl (@theevilbit) of Offensive Security

FontParser

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
  • Description: An integer overflow was addressed through improved input validation.
  • CVE-2021-30760: Sunglin of Knownsec 404 team

FontParser * Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) * Impact: Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents * Description: This issue was addressed with improved checks. * CVE-2021-30788: tr3e working with Trend Micro Zero Day Initiative

FontParser

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted font file may lead to arbitrary code execution
  • Description: A stack overflow was addressed with improved input validation.
  • CVE-2021-30759: hjy79425575 working with Trend Micro Zero Day Initiative

Identity Service

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A malicious application may be able to bypass code signing checks
  • Description: An issue in code signature validation was addressed with improved checks.
  • CVE-2021-30773: Linus Henze (pinauten.de)

Image Processing

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30802: Matthew Denton of Google Chrome Security

ImageIO

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: This issue was addressed with improved checks.
  • CVE-2021-30779: Jzhu, Ye Zhang(@co0py_Cat) of Baidu Security

ImageIO

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: A buffer overflow was addressed with improved bounds checking.
  • CVE-2021-30785: CFF of Topsec Alpha Team, Mickey Jin (@patch1t) of Trend Micro

Kernel

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
  • Description: A logic issue was addressed with improved state management.
  • CVE-2021-30769: Linus Henze (pinauten.de)

Kernel

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations
  • Description: A logic issue was addressed with improved validation.
  • CVE-2021-30770: Linus Henze (pinauten.de)

libxml2

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A remote attacker may be able to cause arbitrary code execution
  • Description: This issue was addressed with improved checks.
  • CVE-2021-3518

Measure

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Multiple issues in libwebp
  • Description: Multiple issues were addressed by updating to version 1.2.0.
  • CVE-2018-25010
  • CVE-2018-25011
  • CVE-2018-25014
  • CVE-2020-36328
  • CVE-2020-36329
  • CVE-2020-36330
  • CVE-2020-36331

Model I/O

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted image may lead to a denial of service
  • Description: A logic issue was addressed with improved validation.
  • CVE-2021-30796: Mickey Jin (@patch1t) of Trend Micro

Model I/O

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted image may lead to arbitrary code execution
  • Description: An out-of-bounds write was addressed with improved input validation.
  • CVE-2021-30792: Anonymous working with Trend Micro Zero Day Initiative

Model I/O

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing a maliciously crafted file may disclose user information
  • Description: An out-of-bounds read was addressed with improved bounds checking.
  • CVE-2021-30791: Anonymous working with Trend Micro Zero Day Initiative

TCC

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: A malicious application may be able to bypass certain Privacy preferences
  • Description: A logic issue was addressed with improved state management.
  • CVE-2021-30798: Mickey Jin (@patch1t) of Trend Micro

WebKit

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A type confusion issue was addressed with improved state handling.
  • CVE-2021-30758: Christoph Guttandin of Media Codings

WebKit

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: A use after free issue was addressed with improved memory management.
  • CVE-2021-30795: Sergei Glazunov of Google Project Zero

WebKit

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing maliciously crafted web content may lead to code execution
  • Description: This issue was addressed with improved checks.
  • CVE-2021-30797: Ivan Fratric of Google Project Zero

WebKit

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Processing maliciously crafted web content may lead to arbitrary code execution
  • Description: Multiple memory corruption issues were addressed with improved memory handling.
  • CVE-2021-30799: Sergei Glazunov of Google Project Zero

Wi-Fi

  • Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
  • Impact: Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution
  • Description: This issue was addressed with improved checks.
  • CVE-2021-30800: vm_call, Nozhdar Abdulkhaleq Shukri
Tags
Technology