iOS WebKit Vulnerabilities

Lookout Coverage and Recommendation for Admins

With Vulnerability and Patch Management, Lookout admins can set the default OS Out-of-Date policy to have a minimum compliant iOS version of 14.4.2 From there, admins can choose whether to simply alert the user that the device is out of compliance or completely block access to corporate resources until iOS is updated.

In addition, Lookout Phishing & Content Protection will help protect mobile users from malicious phishing campaigns built to exploit these vulnerabilities. Lookout PhishingAI constantly monitors the web for new sites built specifically for phishing purposes and implements protection against them in near real-time.

Overview

Apple released an urgent software update to iOS 14.4.2 to patch a serious vulnerability in Apple’s WebKit browser engine. This vulnerability is actively being exploited in the wild according to Apple. This is not the first urgent security patch that Apple has released for iOS 14, as there were three highly critical vulnerabilities found in iOS 14.3 earlier in 2021. In addition to releasing 14.4.2, Apple also deemed this vulnerability serious enough to release an update for devices that can only run up to iOS 12, such as iPhone 5s, 6, and older iPads.

‍

Lookout Analysis

While Apple hasn’t released many details about the vulnerability, a successful exploit could allow malicious websites to perform arbitrary cross-scripting on the device. This means that an attacker could easily redirect you to a malicious page they built, phish login credentials for personal or corporate accounts, or deliver malware to the device to spy on the user or exfiltrate files from any cloud- based service that user has access to. In addition, the attacker could perform actions on the user’s behalf on malicious sites.

Since this vulnerability exists in WebKit, it could also be used inside iOS apps. This incident exemplifies why attackers have found that delivering phishing links through platforms like social media, third-party messaging apps, gaming, and even dating apps makes it easier to socially engineer mobile users.