4238151394 [email protected]

WebKit RCE in Apple macOS and iOS

A flaw in Webkit, the underlying engine of Apple’s Safari browser, is responsible for a vulnerability that could allow an attacker to remotely execute arbitrary code in macOS Big Sur, iOS, iPadOS, and watchOS. Updating as soon as possible is recommended to mitigate risk of compromise.

 

What’s the nature of the vulnerability?

A memory corruption flaw in the WebKit component of Safari could allow an attacker to trick the victim into opening specially-crafted web content that triggers a memory corruption event, and would allow execution of arbitrary code on the target system.

While it is being tracked as CVE-2021-1844, details from Apple are vague.

What’s the risk?

Successful exploitation of this vulnerability could result in complete compromise of a vulnerable system, resulting in data loss, data exfiltration, and more.

Affected versions

  • macOS Big Sur all versions before 11.2.3
  • watchOS < 7.3.2 (for the Apple Watch series 3 or later)
  • iOS < 14.4.1
  • iPadOS < 14.4.1

Safari on macOS:

  • Safari < 14.0.3 for macOS Catalina and macOS Mojave are vulnerable
  • After installing this update, the build number for Safari 14.0.3 is 14610.4.3.1.7 on macOS Mojave and 15610.4.3.1.7 on macOS Catalina

Mitigation

Install the latest version of Apple security updates: