iOS 14.4.2/12.5.2 emergency security update to fix actively exploited security vulnerabilities
Apple launched iOS 14.4.2 and iPadOS 14.4.2 last night to fix high-risk security vulnerabilities (CVE-2021-1879) in the core rendering engine of the system browser.
Attackers can use this vulnerability to develop a specially crafted web page to directly read other website data stored in the browser, including certain identity information stored locally.
The company said that this vulnerability may have been actively exploited in the wild, so all users should immediately upgrade to the latest version based on security considerations.
Researchers from Google’s security team immediately reported to Apple after discovering the vulnerability, and Apple confirmed the vulnerability and immediately began to make a fix.
Since the current vulnerability has just been fixed, the details of the vulnerability have not been fully announced based on security considerations, and the Google security team only disclosed some basic information about the vulnerability.
The vulnerability is said to be located in the rendering engine of the WebKit browser. The attacker can trick users into visiting a specially crafted web page to launch a general-purpose cross-site scripting attack.
With this vulnerability, an attacker can directly read the data of other websites stored locally in the browser, which should have been isolated and not allowed to be accessed.
This is also the reason why Apple immediately released a security update to fix it, because it may cause serious leakage of user personal information and have a great potential impact.
Updates are available for the following devices:
- iOS 12.5.2 – Phone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)
- iOS 14.4.2 – iPhone 6s and later, and iPod touch (7th generation)
- iPadOS 14.4.2 – iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later
- watchOS 7.3.3 – Apple Watch Series 3 and later