Malicious Campaign Exploits Safari Zero-day

Apple has recently released an urgent update to patch a zero-day exploit affecting WebKit, Apple’s open-source web browser engine. The vulnerability, being tracked as CVE-2021-1879, abuses a flaw in Webkit impacting iOS, iPadOS and watchOS devices.

July 23 2021 by

Ferdous Saljooki

Chain links being held together with string.

Apple has confirmed the zero-day is being actively exploited and describes the bug as, “Processing maliciously crafted web content may lead to universal cross-site scripting”. This would allow an attacker to generate a malicious link, whereupon clicking the link, executes arbitrary code and steals sensitive data from the victim's device.

Researchers at Google’s Threat Analysis Group (TAG) discovered this Safari vulnerability on March 19, 2021, after it had been exploited in the wild. Google researchers claim that the exploit is likely used by Russian, government-backed actors in a campaign leveraging LinkedIn’s platform. The threat actors used LinkedIn Messaging to send maliciously crafted links to the target victims. Upon visiting the link from any iOS device running version 12.4 through 13.7, they would be redirected to an attacker-controlled domain serving various payloads, eventually exploiting CVE-2021-1879 as the final payload.

Google researchers state the attacker’s exploit would disable Same-Origin-Policy, an Apple security feature built into web browsers to prevent malicious websites from accessing sensitive data from restricted locations. The victim would need an open session from Safari for attackers to successfully exfiltrate authentication cookies from websites such as Google, Microsoft, LinkedIn, Facebook and Yahoo.

This vulnerability was successfully patched by Apple with the release of iOS 14.4.2, iPadOS 14.4.2 and watchOS 7.3.3. Patches have also been released for older devices with iOS 12.5.2.

As always, Jamf urges users to “patch fast and patch often,” to the latest operating system versions to stay protected against known Apple threats and vulnerabilities.

Indicators of Compromise (IoC)

  • supportcdn.web[.]app
  • vegmobile[.]com
  • 111.90.146[.]198

To discuss how to help you stay on top of system updates contact Jamf

or your preferred Apple reseller today.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.