Apple fixes an arbitrary code execution flaw in Safari

In a series of updates tailor-made for its different platforms, Apple has rolled out important security fixes that address a serious Safari vulnerability.

The update initiative brought an important patch to operating systems running on a broad spectrum of Apple devices. Specifically, it closed a security loophole affecting iOS and iPadOS 14.4.1, watchOS 7.3.2, as well as macOS Catalina and macOS Mojave. The protection facelift arrived at laptops and desktops with macOS Big Sur on board with the new version 11.2.3.

The platforms on the list didn’t receive any feature updates but got armored with security improvements and bug fixes for Safari 14.0.3. According to Apple’s security notes describing the changes, the fresh build of the web browser addresses a recently discovered problem that may allow a malicious actor to execute malware on a device covertly.

What exactly does the patch fix?

The updates remediate a vulnerability in WebKit, a browser engine that forms a foundation of Safari versions made for the iPhone, iPad, Apple Watch, as well as the multi-pronged Mac ecosystem. Judging from the release documentation, the bug – categorized as a memory corruption issue – can be a source for arbitrary code execution through peculiar dodgy web content.

In other words, an attacker may lure a user into visiting a malicious site that hosts such unsafe materials. If accessed from a vulnerable Safari version, the web page will quietly trigger a malicious download and run the associated harmful application on the device.

The security gap is catalogued as CVE-2021-1844. It was reported by analysts at Google’s Threat Analysis Group and Microsoft Browser Vulnerability Research program. Apple has fixed it through enhancements of the WebKit code validation workflow. Owners of devices that are susceptible to this exploitation vector are recommended to apply the patch as soon as possible by going to the update section under settings.