Apple has released watchOS 7.3.3 with an important security fix for a WebKit flaw that may have been actively exploited by hackers. The update is available for Apple Watch Series 3 and later, and it is recommended that users install it as soon as possible.
watchOS 7.3.3 fixes cross site scripting vulnerability
The security flaw was reported to Apple by two members of the Google Threat Analysis Group. The security flaw is related to cross site scripting and Apple fixed the issue by implementing improved management of object lifetimes. Although Apple notes that the zero-day flaw might have been actively exploited, it has not shared any further details:
Available for: Apple Watch Series 3 and later
Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.
Description: This issue was addressed by improved management of object lifetimes.
CVE-2021-1879: Clement Lecigne of Google Threat Analysis Group and Billy Leonard of Google Threat Analysis Group
As WebKit is only used on Apple Watch Series 3 and later, the software update is not available for older Apple Watch models.
To update, make sure that your Apple Watch has at least 50% battery charge and is placed on its charger. Connect your iPhone to Wi-Fi, open the Watch app, and go to General > Software Update to download the new version.
Apple also released iOS 14.4.2 and iPadOS 14.4.2, along with iOS 12.5.2, to fix the same WebKit flaw on iPhone, iPad, and iPod Touch models, including devices that were discontinued almost 5 years ago.
This is the 7th zero day flaw fixed by Apple in the last 5 months, two of which were related to WebKit, while others were related to kernel and memory management flaws that provide escalated privileges. It has been a few busy months not just for Apple, but also other operating system vendors like Microsoft and Google, as they have been under constant attack by various zero day hacks.