iPhone, iPad and Mac security: Apple releases fixes for bug that could allow code execution via malicious web content

Apple releases patch for a security flaw found by researchers at Google and Microsoft.
Written by Liam Tung, Contributing Writer

Apple has released a fix for a bug that affects iPhones, iPads and MacBooks and which could lead to 'arbitrary code execution' by visiting a website hosting malicious code. 

Like many bugs, this one is a memory related bug and it affects WebKit, the browser engine behind Safari on iPhones and MacBooks. Apple delivered the security fix in macOS Big Sur 11.2.3 and iOS 14.4.1 and iPadOS 14.4.1

In typical fashion, Apple hasn't released much information about the bug but notes that the issue means its browser is vulnerable to processing maliciously crafted web content that "may lead to arbitrary code execution".

SEE: Top 10 iPad tips (free PDF) (TechRepublic)

The bug, tracked as CVE-2021-1844, was discovered by Clément Lecigne from Google's Threat Analysis Group and Alison Huffman from Microsoft's browser vulnerability research group. 

Apple doesn't say whether the bug was being exploited before the update. Both security researchers are noteworthy. 

Huffman discovered a flaw in Google's Chrome browser that was being exploited before Google released a patch. That bug, CVE-2021-21166, was addressed in the release of the Chrome 89 stable channel for desktop on Windows, Mac, and Linux last week. Lecigne found two critical iPhone bugs that were being exploited in 2019.   

The iOS updates are available for the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).

iOS 14.4.1 is available now worldwide and contains a 138MB update. "This update provides important security updates and is recommended for all users," Apple notes. iPhone owners can go to the Settings app and check for software updates to get the patch. It's always easy to install but, as usual, the process takes a few minutes while the device prepares the update and then users will need to wait for the device to restart. 

Editorial standards