Apple’s iOS 14.4 and iPadOS 14.4 were both released today (Jan. 26), and if you’ve got an Apple device running either iOS 14 or iPadOS 14, you’d better update to them. They patch three security flaws that may be actively and currently exploited by attackers unknown.
The Apple security bulletin says the updates fix a kernel flaw, designated CVE-2021-1782, and two flaws in the WebKit browser-rendering engine underpinning Safari, CVE-2021-1870 and CVE-2021-1871.
In each case, Apple says it is “aware of a report that this issue may have been actively exploited” and credits the discovery of the flaw to “an anonymous researcher.”
The kernel flaw is the result of a race condition, in which a malicious command tries to beat an authorized command to the next step in a process, that permits elevation of privileges — in other words, giving an app more powers over the OS than it’s meant to have.
The WebKit bugs are the result of “a logic issue,” which could mean almost anything, and permit “arbitrary code execution” — running malware — by a “remote attacker” over the internet.
So far, that’s about all we know. The Common Vulnerabilities and Exposures (CVE) listings for those bugs reveal nothing. We don’t know who found them, who’s using them, how they attack iPhones or what they do when they succeed. Apple promises “additional details available soon.”
If it’s any comfort, most iOS security flaws that were revealed to have been exploited “in the wild” over the past few years have been used only in targeted attacks against specific persons or groups.
That’s no help if you’re famous, work in the defense or media industries or are a political dissident in a repressive country, so patch those phones and iPads.