Apple Plugs Severe WebKit Remote Code-Execution Hole

apple security update memory corruption

Apple pushed out security updates for a memory-corruption bug to devices running on iOS, macOS, watchOS and for Safari.

Apple is rolling out fixes for a high-severity vulnerability in its WebKit browser engine that, if exploited, could allow remote attackers to completely compromise affected systems.

The mobile giant released security updates on Monday for the flaw, for its Safari browser, as well as devices running macOS, watchOS and iOS.

The bug (CVE-2021-1844) ranks 7.7 out of 10 on the CVSS vulnerability-severity scale, making it high-severity. An exploit would allow an attacker to remotely execute code and ultimate take over the system.

Apple on Monday urged affected device users to update as soon as possible: “Keeping your software up-to-date is one of the most important things you can do to maintain your Apple product’s security,” said the company on Monday.

What is Apple WebKit?

The WebKit browser engine was developed by Apple for use in its Safari web browser – however, it is also used by Apple Mail, the App Store, and various apps on the macOS and iOS operating systems. The vulnerability stems from a memory-corruption issue in WebKit; this type of bug occurs when the contents of a memory location are modified in a way that exceeds the intention of the original program/language constructs – allowing attackers to execute arbitrary code.

In the case of this specific flaw, if WebKit processes specially-crafted, malicious web content, it could lead to successful exploitation, according to Apple.

In a real-world attack, “a remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system,” according to an advisory.

What Apple Devices Are Affected?

Apple pushed the updates out across a variety of devices. Updates are available via macOS Big Sur 11.2.3; watchOS 7.3.2 (for the Apple Watch series 3 or later); and iOS 14.4.1 and iPadOS 14.4.1 (for the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation).

Security fixes are also available via Safari 14.0.3 for macOS Catalina and macOS Mojave: “After installing this update, the build number for Safari 14.0.3 is 14610. on macOS Mojave and 15610. on macOS Catalina,” noted Apple. Apple users can visit this page to learn how to update their devices.

Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research were credited with discovering the flaw.

Apple Security Updates

It’s only the latest bug to be found in WebKit: Apple in January released an emergency update that patched three recently discovered bugs in iOS. Two of these – CVE-2021-1870 and CVE-2021-1871 – were discovered in WebKit (while the third, tracked as CVE-2021-1782, was found in the OS kernel).

The WebKit vulnerabilities are both logic issues that the update addresses with improved restrictions, according to Apple. Exploiting these flaws would allow a remote attacker “to cause arbitrary code execution,” the company said.

The security updates also come weeks after Apple released its 2021 Platform Security guide, outlining its current and year-ahead agenda for its device hardware, software and silicon security. The deep dive report covered iOS 14, macOS Big Sur, Apple Silicon and iCloud Drive security.

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
·      March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
·      April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)

Suggested articles