Apple Releases Urgent Patch to Fix Zero-Day Under Active Exploitation

• Apple has got another report about an actively exploited WebKit bug and is fixing it.
• The emergency patch comes through iOS 14.4.2, 12.5.2, and watchOS 7.3.3.
• Apple may begin pushing these updates separately from the system updates, starting with iOS 14.5.

Only about two weeks after the last zero-day flaw fix that came through an out-of-band update (iOS 14.4.1), Apple returns with another similarly urgent patch for all its operating systems. The flaw that’s squashed this time is CVE-2021-1879, which lies on WebKit, Safari’s engine. According to Apple, the particular flaw is being under active exploitation at the moment, with crooks using maliciously crafted web content to trigger cross-site scripting attacks.

Like CVE-2021-1844, which was urgently patched at the start of the month, the newest bug was discovered and reported to Apple by researcher Clément Lecigne and Billy Leonard, both members of Google’s Threat Analysis Group. No technical details have been disclosed about the discovered vulnerabilities for security and precautionary reasons, as most users haven’t applied the update yet.

The fixing of the problem comes through the improved management of object lifetimes, and is incorporated in the following software products:

• iOS 12.5.2 – Phone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
• iOS 14.4.2 – iPhone 6s and later, and iPod touch (7th generation)
• iPadOS 14.4.2 – iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later
• watchOS 7.3.3 – Apple Watch Series 3 and later

If you own any of the above devices, you should see an alert about the available update on Settings. It is important to apply the patch as soon as you can, as merely browsing online could trigger the exploit.

In light of the need to push frequent security micro-patches, Apple has recently started considering a new system that would fetch these crucial packs outside of the context of the regular update. This way of having “standalone” security updates is common in the Android world, and Apple sees value in following the same approach. The code that brings this new system was found in a beta of the iOS 14.5, which is purported to be one of the more feature-packed point releases ever.