We’ll probably never be entirely free of the cat-and-mouse game that goes on between operating system makers and hackers, but the good news is that at least Apple’s ecosystem is very proactive when it comes to making sure that security holes are plugged as quickly as possible — a benefit that many other smartphones don’t enjoy.
Even so, many users are often cautious when a new update is released for their iPhone, iPad, or Apple Watch. After all, if everything is working fine, why risk breaking things with an unknown software update? Especially on day one. Lots of folks understandably prefer to wait until others take the plunge and then wait to see how things work out for them.
However, sometimes discretion really isn’t the better part of valour when it comes to Apple software updates, and this is actually becoming more common as new security vulnerabilities are discovered.
Hackers frequently find obscure holes in Apple’s usually tight iOS security model that can be exploited for nefarious purposes. When this happens, the only real solution is for Apple to close those holes with a software update, which means that if you want to be protected, you have to update to the latest version.
Such is the case with a set of new iOS and watchOS updates released late Friday, which contain an important fix to a security exploit that Apple says “may have been actively exploited.”
In other words, this isn’t just a theoretical fix. Hackers are out there actually using a flaw in iOS 14.4 (and likely older versions) to attack users’ iPhones. Naturally, Apple is fairly circumspect about how widely this flaw has been exploited, but the fact that it’s in the hands of bad actors at all should be enough to give most users pause.
Specifically, the fix is found in iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3. However, unlike the iOS 14.4 release in January which also fixed three other known exploits, these latest updates are focused exclusively on plugging whatever hold it is that Apple has discovered.
In fact, this particular issue is serious enough that it’s prompted Apple to release a rare patch to an older iOS version as well, in the form of iOS 12.5.2.
This is intended to protect any who is using an older device that can’t be upgraded beyond that version, such as iPhone 5s, iPhone 6, iPad Air, iPad mini 2, iPad mini 3, or sixth-generation iPod touch.
Apple has not released a similar patch for iOS 13, since all iPhone models capable of running iOS 13 can be upgraded to iOS 14, and can therefore use the iOS 14.4.2 patch.
Notably, only the Apple Watch Series 3 and later are compatible with watchOS 7. Apple has not made a watchOS 6 update available for users with an Apple Watch Series 0, Series 1, or Series 2, however it’s also possible the vulnerability simply doesn’t exist in watchOS 6.
In a series of support documents, Apple provides only a brief explanation of the issue, suggesting that it has to do with a vulnerability in the Safari browser and its underlying WebKit framework.
Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.
Apple also adds that the fix was based on a report, CVE-2021-1879, that was filed by Clement Lecigne and Billy Leonard of Google’s Threat Analysis Group. This is a similar, but distinct group within Google from its “Project Zero” team, which has been credited with discovering several iOS vulnerabilities over the past few years — often to Apple’s chagrin.
Google’s Threat Analysis Group, however, is a separate hacking team within the tech giant that tracks government-based attacks. This suggests that the exploit that was found in this case may have been used by some government, or government-sponsored cyber-espionage organization.
This is actually the third iOS 14 update released this year that’s included fixes for potentially serious exploits, with iOS 14.4 patching no less than three known vulnerabilities, and iOS 14.4.1 patching a WebKit flaw that could have allowed hackers to execute code using “maliciously crafted” web pages.
The good news, however, is that Apple has begun taking an even more proactive approach to security, with at least two significant changes coming to iOS 14.5 that will stop hackers in their tracks, including a new ‘BlastDoor’ feature that will lock down the Messages app much more tightly against malformed text messages leading to exploits and crashes.