![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2019\/03\/ios-software-update-available-icon-600x300-e1558142227486.png\"){kind=icon}
<\/p>\n<\/p>\n
Apple has released a series of security updates to patch two critical vulnerabilities that the company says were “actively exploited” in the wild.<\/p>\n
The following updates were released on Monday, September 13, 2021:<\/p>\n
Each of these updates patches one or both of the following issues:<\/p>\n
Component:<\/strong> CoreGraphics<\/p>\n
Impact:<\/strong> Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.<\/p>\n
Description:<\/strong> An integer overflow was addressed with improved input validation.<\/p>\n
Vulnerability ID:<\/strong> CVE-2021-30860, reported by The Citizen Lab<\/p><\/blockquote>\n
Component:<\/strong> WebKit<\/p>\n
Impact:<\/strong> Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.<\/p>\n
Description:<\/strong> A use after free issue was addressed with improved memory management.<\/p>\n
Vulnerability ID:<\/strong> CVE-2021-30858, reported by an anonymous researcher<\/p><\/blockquote>\n
Every one of Apple’s operating systems received both updates, with two exceptions:<\/p>\n
\n
- CVE-2021-30860 was evidently not patched for macOS Mojave<\/li>\n
- CVE-2021-30858 was evidently not patched in watchOS 7.6.2<\/li>\n<\/ul>\n
It is unclear whether those vulnerabilities were simply not exploitable on those operating systems, or if there was some other reason why they were not patched. We have reached out to Apple for clarification and will update this article if Apple responds.<\/p>\n
The bug that wasn’t patched for Mojave is reportedly<\/a> one that was exploited by Pegasus spyware<\/a> on iOS, as we reported on back in July<\/a>:<\/p>\n
Pegasus Spyware Hacks iPhones of Prominent Individuals<\/a><\/p><\/blockquote>\n