Software vulnerability tales continue, and yet another one has been discovered. Software vulnerabilities can come in two flavors; those that have successfully been exploited in the wild (cybercriminals have taken advantage of the flaw), and those that have been patched immediately before something like that has the chance to occur. Microsoft, recently, has also had a vulnerability that was exploited. Sometimes, it is difficult to know whether a vulnerability was exploited but time usually tells.
This time, one of the IT giants has suffered a rather serious vulnerability. The spotlight is on Apple for this one. The cybersecurity department at Apple is on high alert for a vulnerability affecting Apple’s Safari web browser, and the vulnerability is being exploited in the wild. Apple is known for its bulletproof security and privacy approaches, however, even Apple is not impervious to flimsy coding that cybercriminals can leverage for remote attacks and sabotage (such as with the new Apple M1 chip.)
Safari Web Browser Vulnerability
According to security release information on Apple’s official website, dated September 13th, 2021, a critical software vulnerability within Apple’s Safari web browser is being exploited in the wild. The CVE database ID for this vulnerability is CVE-2021-30858.
The Safari software vulnerability is a use-after-free type. The vulnerability allows a remote attacker to compromise a vulnerable system. The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system. Successful exploitation of the vulnerability may allow an attacker to fully compromise a vulnerable system.
Vulnerable Software Versions
The following versions of Safari are vulnerable;
Critical User Information
Apple has released an immediate fix for this vulnerability, even though it is, unfortunately, being exploited in the wild at the moment. What is currently known is that 14.1.2* is the update. After installing this update, the build number for Safari 14.1.2 is 14618.104.22.168.7 on macOS Mojave and 15622.214.171.124.7 on macOS Catalina. For the moment, a WebKit was released that mitigates issues in Big Sur (update is 11.6) too but most probably the automatic update will take care of this (without changing the build number like on the other two.) More information about the fix can be found in the link to the security release information above. Alternatively, users can check the Apple security updates list page here. Users must make sure that their macOS is set to ‘update automatically‘ by typing ‘software update’ into finder and checking (enabling) automatic updates.