Update your iPhone if you haven’t already: more Apple WebKit (Safari) vulnerabilities
We wrote this short post to remind everyone with Apple devices that are NOT managed by their company or a managed services provider to update your Apple devices immediately.
Apple recently released updates including a series of operating system patches for CVE-2021-1844, a remote code execution vulnerability (RCE) and CVE-2021-1879, a universal cross-site-scripting vulnerability (UXSS). Both vulnerabilities exploit flaws in WebKit, which powers Apple’s Safari browser.
Affected devices include iPhones, iPads, Apple Watches, and iPod touch. If you have one of these and someone else isn’t managing it for you, update your device as soon as possible.
What happened?
Google’s Threat Analysis Group (TAG) discovered a vulnerability in WebKit, software used in Apple’s Safari browser. Websites and applications that accept user-provided data in form fields are at risk if they don’t perform any of their own input validation. If exploited, the vulnerability could allow a threat actor to launch an XSS attack by using input fields to inject malicious code.
XSS attacks may launch malware, redirect the victim to a malicious site or server, or deface the targeted website.
Updates in iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3 released on March 26 add protection against these types of attacks.
Who’s affected?
If you have an iPhone, iPad, or iPod, go to Settings > General > About to see if your Software Version is earlier than the versions listed above.
On an Apple Watch, go to General > Settings.
To confirm that you’ve successfully updated your device, ensure that your version number matches one of these:
iOS 12.5.2 for iPhone 5s, 6, 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch 6th generation
iOS 14.4.2 or iPadOS 14.4.2 for iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation
watchOS 7.3.3 for Apple Watch Series 3 and later
For more info, check out Threatpost, NakedSecurity, or just Google ‘Apple Vulnerabilities’ or one of the CVE numbers mentioned above.