The bug is under active exploitation by unknown attackers and affects a wide range of devices, including iPhones, iPads and Apple Watches.
Apple has released an emergency update for its iOS, iPadOS, and watchOS operating systems to patch a zero-day security flaw that is being actively exploited in the wild. The vulnerability affects multiple models of iPhone, iPad, Apple Watch, and iPod touch.
“Apple is aware of a report that this issue may have been actively exploited,” reads Apple’s security advisory describing the security hole that is being plugged with the release iOS 14.4.2 and iPadOS 14.4.2.
The list of impacted devices includes iPhone 6s and later, all versions of the iPad Pro, iPad Air 2 and later, the 5th generation of iPad and later, iPad mini 4 and later, and the 7th generation of the iPod touch. The Cupertino-based tech giant also issued security updates for its Apple Watch products (watchOS 7.3.3).
Given the seriousness of the threat, Apple also rolled out an update (iOS 12.5.2) for older devices such as iPhone 5s and iPhone 6. In an effort to protect its customers, the company did not release any information about the perpetrators or the targets of the attacks. Meanwhile, Computer Emergency Response Teams (CERT) from the United States, Hong Kong, and Singapore issued alerts urging users of the affected devices to apply the updates immediately.
Tracked as CVE-2021-1879, the security flaw resides in WebKit, Apple’s open-source web browser engine used by the Safari browser, Mail, and various other iOS and iPadOS apps. “Processing maliciously crafted web content may lead to universal cross site scripting,” reads the bug’s description.
According to CyberSecurityHelp, a remote attacker who can hoodwink their victim into clicking on a specially crafted link and execute arbitrary code could steal sensitive data, perform a phishing or drive-by-download attack, as well as change the appearance of the website.
Clément Lecigne and Billy Leonard of Google’s Threat Analysis Group were credited with the discovery and disclosure of the vulnerability. This is not the first time Google’s security researchers unearthed a bug affecting Apple’s devices. Last year, for example, Google’s Project Zero team found a trio of zero-day vulnerabilities affecting a long list of Apple products. Earlier this year, Apple had to emit an emergency update to quash three zero-day bugs that also affected a wide range of its products.
If you don’t have automatic updates enabled, you can update your iPhone and iPad manually by going to the Settings menu, then tapping General, and going to the Software Update section.
written by Amer Owaida, ESET We Live Security