Whenever Apple releases a new iPhone software update, there’s always some trepidation about whether to jump in right away or wait and see if there are any serious bugs that need to be ironed out, but this time around there may be more reasons than usual to jump on iOS 14.4 sooner rather than later.
It’s the new features in iOS updates that usually get the most attention, however every iOS update also fixes a number of bugs, performance issues, and security vulnerabilities. In this case iOS 14.4 has fixed three pretty big ones that have already been discovered by hackers and are being actively used to attack people’s iPhones.
As with every previous iOS release, Apple has provided details about the security content of iOS 14.4 and iPadOS 14.4 in the usual support document, but as TechCrunch points out, the three bugs that Apple is patching up this time are already out there in the wild.
This is in stark contrast to most previous iOS releases, where Apple will close security vulnerabilities that it has either discovered on its own or ones that have been reported to it privately by ethical security researchers. In a very rare move, however, Apple has come right out this time around and stated that these vulnerabilities “may have been actively exploited,” although when TechCrunch and others reached out for comment, the company declined to offer any more details at this time.
Apple is aware of a report that this issue may have been actively exploited.
So while we don’t know what groups of hackers may be using these vulnerabilities, it seems pretty clear that at least some are, although whether that was a widespread attack or something targeted at specific users is also still not clear.
Apple has simply attributed the discovery of each of the bugs to “an anonymous researcher,” although it’s uncertain whether that refers to one person or two or three different individuals. Apple has also promised that additional details will be made available soon, presumably after it’s given enough people a chance to install the iOS 14.4 update.
The Three Bugs
Two of the three vulnerabilities were found in the WebKit browser engine, which powers Safari, and would likely represent the biggest vector for an attack, likely initiated through a malicious website or weblink, although there are other areas where WebKit is used, such as in HTML email messages and even link previews in Messages.
Apple’s security update specifies only that “a remote attacker may be able to cause arbitrary code execution,” without yet going into any more details, but since it’s already been exploited, it’s safe to say that it’s potentially dangerous for anybody who hasn’t yet updated to iOS 14.4.
The third bug was found in the core iOS kernel, and notes that it would allow an application to elevate privileges and therefore access more information than it should normally be able to. With apps vetted through the App Store this would be less of a concern under normal circumstances, but could be incredibly dangerous when tied together with the WebKit vulnerabilities noted above.
In other words, this trio of security bugs could work together to allow a malicious website or URL to execute code on your iPhone or iPad which would also be able to elevate privileges, potentially accessing personal data or injecting code into other applications.
This is far from the first time that security vulnerabilities have been found in iOS that have been actively exploited. In a high-profile case back in 2019, Google researchers discovered code scattered on several malicious websites that had been potentially compromising iPhone users as far back as iOS 10, although it was later discovered that this was a targeted attack on Uyghur Muslims, likely initiated by the Chinese Government, and therefore not something that most iPhone users actually needed to be concerned about — at least not for their own personal security.
At this point, however, we don’t know how widespread these attacks are, so we’d strongly recommend updating your devices to iOS 14.4 without delay.