Apple on Wednesday released software updates to patch a critical code execution vulnerability in its WebKit engine, which is included in the company’s operating systems, as well as in web browsers such as Safari and others.
The WebKit issue, tracked as CVE-2020-3844, was reported to Apple by an anonymous researcher who has earned $75,000 through the company’s bug bounty program.
The vulnerability is a type confusion issue that allows an attacker to execute arbitrary code on a vulnerable device by simply getting the victim to visit a malicious website.
Apple said the flaw affects all versions of Safari prior to 14.0 for macOS Mojave and High Sierra, as well as iOS and iPadOS prior to iOS and iPadOS 14.0.
In addition to the WebKit update, Apple also released updates for iTunes for Windows 10 and earlier, iCloud for Windows 10 and earlier, and AirPort Base Station Firmware.
SecurityWeek has reached out to Apple for more details about the WebKit vulnerability and whether exploitation has been spotted in the wild.
This is not the first WebKit bug Apple has patched in 2020. In January, the tech giant released a fix for a zero-day flaw - tracked as CVE-2020-3841 - that had been exploited in the wild against users of its Safari web browser.
Apple also fixed several WebKit security flaws back in June 2017.
Organizations and users are advised to install the available patches in order to protect themselves.
This Cyber News was published on www.securityweek.com. Publication date: Tue, 24 Jan 2023 03:31:02 +0000