Merely weeks after releasing out-of-band patches for iOS, iPadOS, macOS and watchOS, Apple has issued yet another security update for iPhone, iPad, and Apple Watch to fix a critical zero-day weakness that it says is being actively exploited in the wild.
Tracked as CVE-2021-1879, the vulnerability relates to a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks.
“This issue was addressed by improved management of object lifetimes,” the iPhone maker noted.
Apple has credited Clement Lecigne and Billy Leonard of Google’s Threat Analysis Group for discovering and reporting the issue. While details of the flaw have not been disclosed, the company said it’s aware of reports that CVE-2021-1879 may have been actively exploited.
Updates are available for the following devices:
- iOS 12.5.2 – Phone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
- iOS 14.4.2 – iPhone 6s and later, and iPod touch (7th generation)
- iPadOS 14.4.2 – iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later
- watchOS 7.3.3 – Apple Watch Series 3 and later
The latest release arrives close on the heels of a patch for a separate WebKit flaw (CVE-2021-1844) that Apple shipped earlier this month. In January 2021, the company resolved three zero-day vulnerabilities (CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871) that allowed an attacker to elevate privileges and achieve remote code execution.
Interestingly, Apple also appears to be experimenting with ways to deliver security updates on iOS in a manner that’s independent of other OS updates. iOS 14.4.2 certainly sounds like the kind of update that could benefit from this feature.
In the meanwhile, users of Apple devices are advised to install the updates as soon as possible to mitigate the risk associated with the flaw.