Apple fixes a iOS zero-day vulnerability actively used in attacks

Apple fixes iOS zero-day vulnerability exploited in the wild

Apple has released security updates to address an iOS zero-day bug actively exploited in the wild and affecting iPhone, iPad, iPod, and Apple Watch devices.

“Apple is aware of a report that this issue may have been actively exploited.,” the company said in a security advisory published today.

The vulnerability tracked as CVE-2021-1879 was reported by Clement Lecigne of Google Threat Analysis Group and Billy Leonard of Google Threat Analysis Group.

The zero-day was discovered in the Webkit browser engine and allows attackers to launch universal cross-site scripting attacks after tricking targets into opening maliciously crafted web content on their devices.

The list of affected devices includes:

  • iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
  • iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
  • Apple Watch Series 3 and later

The zero-days were addressed by Apple earlier today by improving the management of object lifetimes in iOS 14.4.2, iOS 12.5.2, and watchOS 7.3.3.

“This update provides important security updates and is recommended for all users,” Apple tells users who update to the latest iOS version.

iOS 14.4.2
iOS 14.4.2 update

Seventh zero-day patched within the last five months

Apple patched two other sets of exploited in the wild iOS zero-days in January 2021 and November 2020, reported by an anonymous researcher and Project Zero, Google’s 0day bug-hunting team.

In January, the company fixed a race condition bug in the iOS kernel (tracked as CVE-2021-1782) and two WebKit flaws (tracked as CVE-2021-1870 and CVE-2021-1871). 

In November, Apple patched three other iOS zero-days—a remote code execution bug (CVE-2020-27930), a kernel memory leak (CVE-2020-27950), and a kernel privilege escalation flaw (CVE-2020-27932)—affecting iPhone, iPad, and iPod devices.

Project Zero recently revealed that a group of hackers used 11 zero-days in attacks targeting Windows, iOS, and Android users within a single year.