Apple has released out-of-band patches for iOS, macOS, watchOS,
and Safari browsers to address a security flaw that could allow
attackers to run arbitrary code on devices via malicious web
content.
Tracked as CVE-2021-1844, the vulnerability was
discovered and reported to the company by Clément Lecigne of
Google’s Threat Analysis Group and Alison Huffman of Microsoft
Browser Vulnerability Research.
According to the update notes posted by Apple, the flaw stems
from a memory corruption issue that could lead to arbitrary code
execution when processing specially crafted web content. The
company said the problem was addressed with “improved
validation.”
The update is available for devices running iOS 14.4, iPadOS
14.4[1], macOS Big
Sur[2], and watchOS
7.3.1[3] (Apple Watch Series 3
and later), and as an update to
Safari[4] for MacBooks running
macOS Catalina and macOS Mojave.
The latest development comes on the heels of a patch for
three zero-day vulnerabilities[5] (CVE-2021-1782,
CVE-2021-1870, and CVE-2021-1871), which it released in January.
The weaknesses, which allow an attacker to elevate privileges and
achieve remote code execution, were later exploited by the team
behind the “unc0ver[6]” jailbreak tool to
unlock almost every single iPhone model running 14.3.
It’s worth noting that Huffman was also behind the discovery of
an actively exploited zero-day bug[7] in the Chrome browser
that was addressed by Google last week. But unlike the Chrome
security flaw, there is no evidence that CVE-2021-1844 is being
exploited by malicious hackers.
Users of Apple devices or those running a vulnerable version of
Chrome are advised to install the updates as soon as possible to
mitigate the risk associated with the flaws.
References
- ^
iOS
14.4, iPadOS 14.4 (support.apple.com) - ^
macOS
Big Sur (support.apple.com) - ^
watchOS
7.3.1 (support.apple.com) - ^
update
to Safari (support.apple.com) - ^
three
zero-day vulnerabilities
(thehackernews.com) - ^
unc0ver
(thehackernews.com) - ^
actively
exploited zero-day bug (thehackernews.com)