Only about two weeks after the last zero-day flaw fix that came through an out-of-band update (iOS 14.4.1), Apple returns with another similarly urgent patch for all its operating systems. The flaw that’s squashed this time is CVE-2021-1879, which lies on WebKit, Safari’s engine. According to Apple, the particular flaw is being under active exploitation at the moment, with crooks using maliciously crafted web content to trigger cross-site scripting attacks.
Like CVE-2021-1844, which was urgently patched at the start of the month, the newest bug was discovered and reported to Apple by researcher Clément Lecigne and Billy Leonard, both members of Google’s Threat Analysis Group. No technical details have been disclosed about the discovered vulnerabilities for security and precautionary reasons, as most users haven’t applied the update yet.
The fixing of the problem comes through the improved management of object lifetimes, and is incorporated in the following software products:
If you own any of the above devices, you should see an alert about the available update on Settings. It is important to apply the patch as soon as you can, as merely browsing online could trigger the exploit.
In light of the need to push frequent security micro-patches, Apple has recently started considering a new system that would fetch these crucial packs outside of the context of the regular update. This way of having “standalone” security updates is common in the Android world, and Apple sees value in following the same approach. The code that brings this new system was found in a beta of the iOS 14.5, which is purported to be one of the more feature-packed point releases ever.