iPhone, iPad and Mac security: Apple releases fixes for bug that could allow code execution via malicious web content

Apple has released a fix for a bug that affects iPhones, iPads and MacBooks and which could lead to ‘arbitrary code execution’ by visiting a website hosting malicious code. 

Like many bugs, this one is a memory related bug and it affects WebKit, the browser engine behind Safari on iPhones and MacBooks. Apple delivered the security fix in macOS Big Sur 11.2.3 and iOS 14.4.1 and iPadOS 14.4.1

In typical fashion, Apple hasn’t released much information about the bug but notes that the issue means its browser is vulnerable to processing maliciously crafted web content that “may lead to arbitrary code execution”.

SEE: Top 10 iPad tips (free PDF) (TechRepublic)

The bug, tracked as CVE-2021-1844, was discovered by Clément Lecigne from Google’s Threat Analysis Group and Alison Huffman from Microsoft’s browser vulnerability research group. 

Apple doesn’t say whether the bug was being exploited before the update. Both security researchers are noteworthy. 

Huffman discovered a flaw in Google’s Chrome browser that was being exploited before Google released a patch. That bug, CVE-2021-21166, was addressed in the release of the Chrome 89 stable channel for desktop on Windows, Mac, and Linux last week. Lecigne found two critical iPhone bugs that were being exploited in 2019.   

The iOS updates are available for the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).

iOS 14.4.1 is available now worldwide and contains a 138MB update. “This update provides important security updates and is recommended for all users,” Apple notes. iPhone owners can go to the Settings app and check for software updates to get the patch. It’s always easy to install but, as usual, the process takes a few minutes while the device prepares the update and then users will need to wait for the device to restart. 

Source

Leave a Reply

Your email address will not be published. Required fields are marked *

Next Post

Supply Chain Attack Trends Involving Apps and Extensions

Tue Mar 9 , 2021
In February, a widely used barcode scanner app on Google Play was found to have infected 10 million users with a trojan named Android/Trojan.HiddenAds.AdQR. The attack was triggered with an update that turned the app malicious while going under the radar of Google Play Protect. While the number of infected […]