Apple on Friday said it patched a zero-day cross-site scripting vulnerability affecting iPhones, iPads, the iPod touch and Apple watches that was actively exploited in the wild – the company’s seventh such announcement of a zero-day patch in the past five months.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a release on the bug and said organizations should review the Apple security pages for the impacted products and apply the updates.
Apple said the zero-day – CVE-2021-1879 – was discovered in the WebKit browser engine by Clement Lecigne and Billy Leonard of Google’s threat analysis group. Malicious actors are able to exploit the flaw via maliciously crafted web content.
The zero-day is fixed in the following operation system versions:
- iOS 14.4.2 and iPadOS 14.4.2: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
- iOS 12.5.2: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).
- watchOS 7.3.3: Apple Watch Series 3 and later.
Hank Schless, senior manager, security solutions at Lookout, noted that the presence a cross-site scripting bug means that attackers could easily redirect the user to a malicious page they built and then phish login credentials for personal or corporate accounts, or deliver malware to spy on the user or exfiltrate files from cloud-based services. Schless said this incident exemplifies how delivering phishing links through platforms like social media, third-party messaging apps, gaming and even dating apps makes it easier to socially engineer mobile users.
“Attackers know that there’s a natural lag time between a zero-day vulnerability being discovered, a patch being delivered, and end users actually installing the update to patch the issue,” Schless said. “People who choose to ignore or delay OS updates only expand the window of opportunity for attackers. Security teams need a way to limit access to corporate cloud resources until a device has installed the latest patch. Cloud-based security solutions let organizations push access policies to all users as soon as the vulnerability patch is released.”
Craig Young, principal security researcher at Tripwire, said Google’s threat analysis group has a long track record of identifying zero-day vulnerabilities being used in the wild to exploit Apple customers. Young said many of these exploits have been distributed via hacked websites.
“It’s been widely suggested that these watering-hole attacks are being used by repressive governments to spy on targeted populations,” said Young.
Vishal Jain, co-founder and CTO at Valtix, added that this case represents another zero-day attack leveraging the Webkit browser engine on iOS. “This does warrant a question whether it’s safer for our industry to converge on a single browser engine across mobile and desktop users and collectively fight against these attacks,” Jain said.