2 min

Tags in this article

, ,

Almost three weeks after issuing its last urgent security updates, Apple released new software updates for its iPhone, Apple Watch products, and iPad. The updates address a new security flaw in the WebKit engine that powers Apple apps and the Safari browser.

Apple said that the security updates (for iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3) plug a hole in security that could allow an attacker to deliver malicious web content, leading to universal cross-site scripting.

When that happens, the malicious code is injected into flawed web apps that give attackers access to sensitive information like cookies and tokens.

No details have been released by Apple

The Common Vulnerabilities and Exposures number for this flaw is CVE-2021-1879. However, since Apple tends to be very cagey about the nature of its vulnerabilities, the details about this flaw have not been released. Apple, however, credited those who found the vulnerability and called the company’s attention to it.

They include Clément Lecigne and Billy Leonard (who works at Google’s Threat Analysis Group). Lecigne was also co-credited with discovering a vulnerability Apple addressed in its last update. The rapid pace at which the update was released is indicative of a serious problem.

A serious issue

As with the previous March 8 update, this one was released without testing from developers or the public. That usually means that the vulnerability is so serious that it needed to be urgently fixed. The timing is also interesting.

The iOS 14.5 version was supposed to be out before the end of the month but we may be looking at an early April release.

The new OSes are available for iPhone 6 and later, all iPad Pro models, iPad Air 2 and later, iPad (5th gen and later,) iPad mini 4 and later. iPod Touch (7th Gen) and Apple Watch Series 3 and later.