Apple just released iOS 14.4, with absolutely essential security updates. Although we rarely use this blog as a method of announcing patches and releases from specific vendors, the iOS security vulnerabilities in Apple’s recent release are so essential that we’ll break with tradition. We’ll break down the three key points in Apple’s release notes for you below.
What is WebKit, anyway? It’s the web browser engine used by Safari, Mail, App Store, and many other apps on macOS, iOS, and Linux (source: webkit.org). In other words, if you use iOS, and you browse the web or use any of the above-mentioned apps, you are almost certainly a user of WebKit.
2. Arbitrary Code Execution
When an exploit involves arbitrary code execution, it means that an attacker can write code of their choosing, and potentially run it on the vulnerable device. When combined with the “delivery mechanism” of WebKit, it means that there is potential for an attacker to set up a website that leads to your iOS device running arbitrary code of their choosing. That’s bad.
3. May Have Been Actively Exploited
Here’s the part that Apple’s release notes rarely say: this particular vulnerability may have been actively exploited. That is a very strong signal, one that Apple rarely sends. It makes us concerned that this WebKit + Arbitrary Code Execution combination may have actually been exploited by cyber attackers “in the wild” — i.e. actively exploited. If true, that means that there are individuals who (probably without even realizing it) have been running code conveyed to their device via this exploit. And, that code may be doing unknown harm to their privacy and security.
Wrapping Up: iOS Security
If you have an iOS Device, please go to Settings => General => Software update and install the iOS 14.4 update today. Your iOS security is of great importance to your privacy and security.