Apple released out-of-band updates for a new Zero‑Day actively exploited

Pierluigi Paganini March 27, 2021

Apple has released new out-of-band updates for iOS, iPadOS, macOS and watchOS to address another zero‑day flaw, tracked CVE-2021-1879, actively exploited.

Apple has released a new set of out-of-band patches for iOS, iPadOS, macOS and watchOS to address a critical zero-day vulnerability, tracked as CVE-2021-1879, that is being actively exploited in the wild.

The vulnerability resides in the WebKit flaw, it could be exploited by an attacker to trick the victims into processing maliciously crafted web content that can lead to universal cross-site scripting attacks.

“Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published by Apple.

The IT giant addressed the issue by improving management of object lifetimes.

The CVE-2021-1879 was reported by Clement Lecigne of Google Threat Analysis Group and Billy Leonard of Google Threat Analysis Group.

Apple did not disclose details of the zero-day vulnerability but confirmed it’s aware of attackers in the wild that actively exploited this issue.

Below the list of updates that were released by Apple:

  • iOS 12.5.2 – Phone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
  • iOS 14.4.2 – iPhone 6s and later, and iPod touch (7th generation)
  • iPadOS 14.4.2 – iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later
  • watchOS 7.3.3 – Apple Watch Series 3 and later

Early this week, Apple has released another out-of-band security patches to address a critical vulnerability, tracked as CVE-2021-1844, in iOS, macOS, watchOS, and Safari web browser.

This vulnerability was also discovered by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. The flaw could be exploited by remote attackers to run arbitrary code on vulnerable devices by tricking users into visiting a malicious web content.

The vulnerability is caused by a memory corruption issue that could be triggered to cause arbitrary code execution when processing specially crafted web content.

On January 2021, Apple has addressed three zero-day vulnerabilities in iOS that have been exploited in the wild with the release of security updates (iOS 14.4).

The first zero-day issue, tracked as CVE-2021-1782, is a race condition that resides in the iOS operating system kernel.

The other two zero-day flaws, tracked as CVE-2021-1870 and CVE-2021-1871 respectively, reside in the WebKit browser engine.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment