- Apple has released patches for a range of products to address a WebKit vulnerability.
- Not many details about the flaw have been published, but it is an RCE based on memory corruption.
- Apple says they have no indication that the flaw is being under active exploitation in the wild.
Apple has released four “out-of-band” patches for iOS and iPadOS, macOS, watchOS, and Safari, addressing a severe vulnerability that was given the identifier “CVE-2021-1844.” The particular flaw was discovered by researcher Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft’s Browser Vulnerability Research team, who reported their findings to Apple immediately.
The flaw is a memory corruption issue that can lead to remote code execution via buffer overflow in WebKit. For this to work, an attacker would need to use a specially crafted web page and trick the victim into opening it, which isn’t anything too demanding.
Successful exploitation of this flaw may result in the complete compromise of the target system. Because of the wide deployment of WebKit, Apple had to release patches that cover a wide range of products.
People are advised to apply the following patches immediately:
Apple claims that they have seen no signs of this vulnerability being under active exploitation, so there’s a good chance that the two researchers were the first to discover the flaw. The risk is still high, and Apple has chosen not to publish any technical details about the vulnerability yet. They will not share much until a thorough investigation has been concluded and the vast majority of the users have applied the available patches.
Based on some expert comments, we can discern that the exploitation would require some user interaction in the sense of downloading something onto the vulnerable device, so this bug may also be exploitable via email attachments of SMS links. Users of iPhone devices should be aware of this possibility and treat all incoming communications with caution.
Of course, everyone should upgrade to iOS 14.4.1 immediately, as this is an emergency security update. As such, it doesn’t threaten to break anything else with the introduction of new features.