CVE-2021-1844 in iOS, macOS, watchOS
The vulnerability was discovered by two researchers: Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. The bug is triggered by a memory corruption problem that could cause arbitrary code execution while processing specially crafted web content. The issue was fixed with improved validation, Apple said.
Devices running iOS 14.4, iPadOS 14.4, macOS Big Sur, and watchOS 7.3.1 should apply the update. The same goes to the Safari browser running on macOS Catalina and macOS Mojave.
Other Apple Vulnerabilities Fixed Earlier in 2021
Apple fixed three zero-day vulnerabilities in iOS and iPadOS in January.
CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871 could allow threat actors to perform privilege escalation and remote code execution attacks. Apple said the vulnerabilities were likely exploited in the wild, without specifying the attacks’ extent.
Then, in February, the company fixed a big loophole in macOS Big Sur which could lead to data loss. The bug resided in Big Sir 11.2, and was also introduced to the 11.3 version. The bug stemmed from the macOS Big Sur installer not checking whether the machine has the required free space for an upgrade to occur flawlessly. You can read more about the data loss bug in our dedicated article.
Later that month, security researchers uncovered a malvertising campaign coordinated by the ScamClub group which exploited a zero-day in WebKit-based browsers. Scammers were exploiting the critical CVE-2021-1801 vulnerability. According to the official information, the vulnerability was first discovered in Apple macOS up to 11.1 by researcher Eliya Stein of Confiant.
If you are interested in the state of Apple’s privacy and security, you can jump to our article The State of Apple’s Privacy So Far in 2021.