Apple issues urgent patch update for another ‘Zero‑Day Attack’
Just a few weeks after releasing out-of-band patches for iOS, iPadOS, macOS, and watchOS, Apple issued yet another security update for the iPhone, iPad.
Tracked as CVE-2021-1879, the vulnerability relates to a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks.
“This issue was addressed by improved management of object lifetimes,” the iPhone maker noted.
Apple has credited Clement Lecigne and Billy Leonard of Google’s Threat Analysis Group for discovering and reporting the issue. While details of the flaw have not been disclosed, the company said it’s aware of reports that CVE-2021-1879 may have been actively exploited.
Updates are available for the following devices:
- iOS 12.5.2 Industry5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
- iOS 14.4.2 Industrylater, and iPod touch (7th generation)
- iPadOS 14.4.2 Industry(all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later
- watchOS 7.3.3 Industrylater
The latest release arrives close on the heels of a patch for a separate WebKit flaw (CVE-2021-1844) that Apple shipped earlier this month. In January 2021, the company resolved three zero-day vulnerabilities (CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871) that allowed an attacker to elevate privileges and achieve remote code execution.
Interestingly, Apple also appears to be experimenting with ways to deliver security updates on iOS in a manner that’s independent of other OS updates. iOS 14.4.2 certainly sounds like the kind of update that could benefit from this feature.
In the meanwhile, users of Apple devices are advised to install the updates as soon as possible to mitigate the risk associated with the flaw.