Apple has released security updates to address a iOS zero-day vulnerability in multiple products. According to the Cybersecurity and Infrastructure Security Agency (CISA), an attacker could exploit some of these vulnerabilities to take control of an affected device. 

In a security update, Apple says CVE-2021-1879 was reported by Clement Lecigne of Google Threat Analysis Group and Billy Leonard of Google Threat Analysis Group. In addition, Apple says it's aware of a report that this issue may have been actively exploited. 

The list of affected devices includes:

  • iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
  • Apple Watch Series 3 and later
  • iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation)

According to BleepingComputer, this is the seventh zero-day vulnerability patched within the last five months. 

Commenting on this news, Vishal Jain, Co-Founder and CTO at Valtix, says, “Attackers will always find ways to find zero-day vulnerabilities and get inside the enterprise network from the front door. This applies to both on-prem and public cloud environments. An important element of advanced cyberattacks are ping backs to command and control sites once a foothold is established. These infiltrations can exist for months on your network before they are discovered. Thus, enterprises need to have tools in place to have real-time visibility, monitor drifts and use a layered defense approach to limit the blast radius by preventing lateral movement of threats and putting proper security controls for outbound traffic to prevent exfiltration. This is another zero-day attack leveraging the Webkit browser engine on iOS. This does warrant a question whether it is safer for our industry to converge on a single browser engine across mobile and desktop users and collectively fight against these attacks.”

Hank Schless, Senior Manager, Security Solutions at Lookout, explains, “While Apple hasn’t released many details about the vulnerability, a successful exploit could allow malicious websites to perform arbitrary cross-scripting on the device. This means that an attacker could easily redirect you to a malicious page they built, phish login credentials for personal or corporate accounts, or deliver malware to the device to spy on the user or exfiltrate files from any cloud-based service that user has access to. This incident exemplifies how delivering phishing links through platforms like social media, third-party messaging apps, gaming, and even dating apps makes it easier to socially engineer mobile users. 

Schless adds, "Threat actors target exploitable OS-level vulnerabilities because a successful attack can give them access to cloud-based resources that the device is connected to. Platform developers are building their tools to be usable from any device. Users widely embrace this approach because it enables them to work flexibly and collaborate on projects from anywhere. This increased productivity increases the number of devices and networks that access corporate resources, which make it difficult for security teams to have visibility into the risks at hand. Attackers know that there is a natural lag time between a zero-day vulnerability being discovered, a patch being delivered, and end users actually installing the update to patch the issue. People who choose to ignore or delay OS updates only expand the window of opportunity for attackers. Security teams need a way to limit access to corporate cloud resources until a device has installed the latest patch. Cloud-based security solutions allows organizations to push access policies to all users as soon as the vulnerability patch is released.”