The flaw is actively exploited by attackers and affects a wide range of devices, including iPhones, iPads and Apple Watches.
Apple has released an emergency update for its iOS, iPadOS, and watchOS operating systems to address a zero-day security vulnerability that is actively exploited in the wild. The vulnerability affects several models of iPhone, iPad, Apple Watch, and iPod touch.
“Apple is aware of the potential exploitation of this security flaw,” says Apple’s security notice describing the security flaw which is being patched with the iOS 14.4.2 and iPadOS 14.4.2 release versions.
The list of affected devices includes iPhone 6s and later, all versions of iPad Pro, iPad Air 2 and later, 5th generation iPad and later, iPad mini 4 and later versions, and the 7th generation of iPod touch. The Cupertino-based tech giant has also released security updates for its Apple Watch products (watchOS 7.3.3).
Given the severity of the threat, Apple has also rolled out an update (iOS 12.5.2) for older devices such as the iPhone 5s and iPhone 6. In order to protect its customers, the company has not disclosed any information on the authors or targets of the attacks. Meanwhile, Computer Emergency Response Teams (CERTs) in the United States, Hong Kong, and Singapore have issued alerts urging users of affected devices to immediately apply updates.
Listed as CVE-2021-1879, the security flaw resides in WebKit, Apple’s open-source web browser engine used by Safari browser, Mail, and various other iOS and iPadOS apps. “Processing malicious web content can lead to universal cross-site scripting,” the bug description states.
According to CyberSecurityHelp, a remote attacker able to trick their victim into clicking on a specially crafted link and executing arbitrary code could steal sensitive data, realizing a phishing attack or drive-by-download, as well as modify the appearance of the website.
Clément Lecigne and Billy Leonard, of Google’s threat analysis group, are behind the discovery and disclosure of the vulnerability. This is not the first time that Google security researchers have uncovered a bug affecting Apple devices. Last year, for example, Google’s Project Zero team discovered a trio of zero-day vulnerabilities affecting a long list of Apple products. Earlier this year, Apple had to issue an emergency update that fixed three zero-day flaws that also affected a wide range of its products.
What are our recommendations:
1 / If you have not enabled automatic updates, you can update your iPhone and iPad manually by going to the Settings menu, then pressing General, and going to the Software Update section .
2 / Activate the automatic updates, in order to benefit as soon as possible from the fixes proposed by the manufacturers.
3 / Check regularly that your digital identity is not compromised. You can use the site https://haveibeenpwned.com/ which identifies major data leaks.