Apple yesterday (May 24) officially rolled out iOS 14.6 and macOS Big Sur 11.4 to its users in a wide-ranging update that spans new support for Apple Card Family, updates to AirTags and major fixes for a mind-boggling number of security issues — several of which teeter on the “very serious” side of things.
iOS 14.5 arrived last month with a slew of high-profile features, which aimed to change how we use our phones. With iOS 14.6, you’d be quickly forgiven for losing track of Apple’s updates, which seem endless at the moment. That said, you’ll definitely want to get your smartphone updated to iOS 14.6 given the security issues we’ve rounded up below.
The real nitty-gritty of iOS 14.6 is in its plethora of security fixes that address a number of substantial vulnerabilities. These range from malicious audio files that can be exploited by bad actors to reveal sensitive personal info to glaring weaknesses in iOS’ Core Services that provide an entry point for malware.
Here’s all you need to know about this latest round of security threats to macOS and iOS devices, and exactly why you need to get your iPhone, iPad and Mac updated as quickly as you can.
How to update to iOS 14.6 now
To update your iPhone’s software to iOS 14.6, head to Settings and select General. Next, tap Software Update. From here, you should be able to update to iOS 14.6. The download is approximately 577 MB, so it should not take that long over Wi-Fi.
macOS Big Sur 11.4 security fixes
Apple counts 38 different flaws being fixed in iOS 14.6 and iPadOS 14.6, with some flaws having more than one Common Vulnerabilities and Exposures (CVE) reference number.
Some of the same flaws are fixed in macOS Big Sur 11.4, which sees 58 flaws patched by Apple’s count. (MacOS 10.15 Catalina and 10.14 Mojave got patches as well.)
Chief amongst the security issues facing macOS is a nasty strain of malware that secretly takes screenshots of users’ Macs, making the need to get your system updated even more urgent.
During research into the XCSSET malware, initially discovered back in August 2020, cybersecurity firm Jamf discovered that a macOS zero-day exploit (CVE-2021-30713) was used by XCSSET to bypass Apple’s Transparency Consent and Control protections.
Abbreviated to TCC, this feature sounds the virtual alarm when an app is behaving in a way that could threaten users’ privacy like, say, taking photos or logging keystrokes. In sidestepping this protection, the XCSSET malware is able to circumvent the safeguards to users’ privacy.
“The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent,” according to the Jamf researchers.
It’s a pretty darn serious vulnerability, not least because it’s one that could be exploited to gain unauthorized access to users’ files, but because it can record video and audio direct from the victims’ computers while hijacking other apps’ permissions.
The weakness has reportedly been patched in the latest version of macOS Big Sur 11.4, which was released on Monday (May 24). You can grab the latest macOS Big Sur update from the Mac App Store.
iOS 14.6: WebKit updates
Back in the limelight once again is our old friend, WebKit. WebKit is the engine behind Apple’s Safari browser and is no stranger to bad press, having already been seriously scrutinized for security vulnerabilities earlier this year.
The vulnerabilities hinge on cross-site scripting attacks against iPhone users. Here, hackers can steal your internet cookies and sessions in Safari, effectively giving them an inroad for a full account hijacking. Bug hunters identified seven vulnerabilities in the browser engine, “including two that would allow arbitrary code execution,” according to The Register.
iPhones and iPad could be compromised by these malicious web pages to pinch details and sensitive info. Apple lists six fixes to WebKit in iOS 14.6 to prevent these attacks, plus to stop “maliciously crafted web content” for universal cross-site scripting.
Apple’s watchOS and tvOS also received security updates to fix many of the same issues.
Too little, too late?
Apple says that it is aware of reports that three macOS and tvOS zero-day vulnerabilities (CVEs 2021-30663, 30665 and 30713) “may have been actively exploited.” In other words, those are “zero-day” flaws in that they’re exploited by attackers before the defenders are able to deliver a fix.
However, Apple stopped short of adding any further information on who may have exploited these security holes before the fixes were rolled out. None of these three flaws seem to appear in iOS, iPadOS, watchOS or in macOS Catalina or Mojave.
The operative statement in all this is to update your iPhone, iPad, Mac, Apple Watch and Apple TV right now. We’ve got a robust set of updating instructions in our how to upgrade to iOS 14.6 guide if you find yourself stuck.
More: The best Mac antivirus software