Apple has released a new set of out-of-band patches for iOS, iPadOS, macOS and watchOS to address a critical zero-day vulnerability, tracked as CVE-2021-1879, that is being actively exploited in the wild.
The vulnerability resides in the WebKit flaw, it could be exploited by an attacker to trick the victims into processing maliciously crafted web content that can lead to universal cross-site scripting attacks.
“Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by Apple.
The IT giant addressed the issue by improving management of object lifetimes.
The CVE-2021-1879 was reported by Clement Lecigne of Google Threat Analysis Group and Billy Leonard of Google Threat Analysis Group.
Apple did not disclose details of the zero-day vulnerability but confirmed it’s aware of attackers in the wild that actively exploited this issue.
Below the list of updates that were released by Apple:
Early this week, Apple has released another out-of-band security patches to address a critical vulnerability, tracked as CVE-2021-1844, in iOS, macOS, watchOS, and Safari web browser.
This vulnerability was also discovered by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. The flaw could be exploited by remote attackers to run arbitrary code on vulnerable devices by tricking users into visiting a malicious web content.
The vulnerability is caused by a memory corruption issue that could be triggered to cause arbitrary code execution when processing specially crafted web content.
On January 2021, Apple has addressed three zero-day vulnerabilities in iOS that have been exploited in the wild with the release of security updates (iOS 14.4).
The first zero-day issue, tracked as CVE-2021-1782, is a race condition that resides in the iOS operating system kernel.
The other two zero-day flaws, tracked as CVE-2021-1870 and CVE-2021-1871 respectively, reside in the WebKit browser engine.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, zero-day)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.