Apple Fixes iOS Leaks That Enable Bluetooth Attack

Apple has fixed multiple vulnerabilities in iOS that could allow iPhone or iPad owners to be remotely attacked via Bluetooth. The vulnerabilities allow an attacker to run arbitrary code on the devices.

Three vulnerabilities, designated CVE-2021-1794, CVE-2021-1795, and CVE-2021-1796, allow a remote attacker to execute arbitrary code via Bluetooth, according to Apple's description. Further details are not given, except that the vulnerabilities were discovered by 360 Alpha Lab researcher Jianjun Dai. The researcher also found a fourth bluetooth vulnerability, CVE-2021-1780, that enables a denial of service attack.

The vulnerabilities have been fixed in iOS 14.4 and iPad 14.4. Apple released these updates on Jan. 26, but then only reported that three actively attacked zero-day leaks had been fixed in the iOS kernel and WebKit browser engine. Now the tech company reports that with iOS 14.4 and iPad 14.4, a total of 47 vulnerabilities have been resolved.

Multiple critical vulnerabilities are affected in CoreAudio, CoreGraphics, CoreMedia, CoreText, FontParser, ImageIO and WebKit. By processing a malicious font file, text file, image, or web content, these vulnerabilities could allow an attacker to execute arbitrary code on the device.

A vulnerability in WebRTC has also been patched that could allow a malicious website to access protected ports on arbitrary servers. An attack called ' NAT slipstreaming 2.0 '. Updating to iOS 14.4 and iPadOS 14.4 can be done via iTunes and the Software Update function of the operating system.
Previous Post Next Post