Apple has shipped an urgent security update to fix a major security flaw affecting iPhone, iPad and Apple Watch devices alongside a warning that the vulnerability is being actively exploited in the wild.
The new iOS 14.4.2 was released on Friday with yet another band-aid for Apple’s flagship iOS platform and the company said it was “aware of reports that an exploit for this issue exists in the wild.”
As is customary, the company did not provide any additional details on the in-the-wild attacks.
A brief advisory describes the problem:
Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.
The company credited a pair of researchers from Google’s TAG (Threat Analysis Group) for reporting the issue, suggesting this may be linked to a wave of high-end APT campaigns documented by Google’s Project Zero unit.
Since January 2020, Apple has scrambled out patches for least 7 documented in-the-wild zero day attacks, mostly launched by nation-state backed threat actors.
[ READ: Sophisticated APT Spy Group Burned 11 Zero-Days ]
Last week, Google released new details on a pair of exploit servers used by a sophisticated threat actor to hit users across multiple platforms, including exploits aimed squarely at Apple’s IOS.
The APT group effectively burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and devices.
Related: Zerodium Expects iOS Exploit Prices to Drop as It Announces Surplus
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
- Rapid7 Buys Anti-Ransomware Firm Minerva Labs for $38 Million
- Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
- Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
- Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day
- Cloud Forensics Startup Mitiga Completes $45M Series A
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
