by Dan Moren
iOS/iPadOS 14.4 updates contain patches for “actively exploited” vulnerabilities
Zack Whittaker at Tech Crunch:
Apple has released iOS 14.4 with security fixes for three vulnerabilities, said to be under active attack by hackers.
The technology giant said in its security update pages for iOS and iPadOS 14.4 that the three bugs affecting iPhones and iPads “may have been actively exploited.” Details of the vulnerabilities are scarce, and an Apple spokesperson declined to comment beyond what’s in the advisory.
It’s pretty rare for Apple to acknowledge an actively exploited security vulnerability in its patch notes for any product, and on the iPhone—largely considered among the most secure platforms—I would say it’s unheard of, at least in my memory.1 Update: My good pal Adam Engst gently reminded me that Apple alerted users to possibly actively exploited vulnerabilities in a variety of updates issued just last November, or as I like to call it, “late March 2020.”
Apple’s security note is promising more details soon, though the timing is as of yet unknown. Two of the vulnerabilities, which involved arbitrary code execution, are related to WebKit, the engine that underpins not only Safari but pretty much any web interface on the phone. The third was in the operating system kernel, and could allow a malicious application to get escalated privileges. All of those are fairly serious cases, so it’s for sure a little scary—definitely a case in which to urger your friends and family to update.
- With the exception possibly being in the case of flaws used to jailbreak phones. ↩