Apple released updates for iOS 14.4 and iPadOS 14.4 on Tuesday after an anonymous researcher discovered that attackers could remotely hack certain iPhones, iPads and iPods.
On the company’s support page, Apple described two security threats that were fixed in the most recent operating system update, version 14.4. Both security threats, Apple said, may have already been exploited.
The company explained that a vulnerability, which is linked to the browser’s rendering engine, WebKit, could allow remote hackers to access a device.
Katie Moussouris, CEO and founder of cybersecurity company Luta Security, said this means that an attacker can control a user’s phone. “You buzzed that device,” she said. “You are controlling it from a distance.”
And since the threat is linked to Internet browsing, she noted, “Your regular web browsing can keep you engaged without having to do much else,” she said. “And that is a problem.”
A second security threat outlined by Apple involves a “malicious application” that may be able to elevate the user’s privileges. In theory, said Moussouris, a malicious agent could exploit this with an application. “It is possible that a vector is almost like a sleeping cell in an application,” she said. “If you are vulnerable, he tries to exploit you.”
This threat is known as a kernel vulnerability. “The kernel’s vulnerabilities, just by their nature, will be more serious.” Moussouris said: “[The kernel] it is part of the brain of the operating system. You are supposed to be the most protected … Surely, you know this is a serious problem. “
Apple said it fixed the issue in its latest operating system update and encouraged iOS and iPadOS users to update their devices. The website’s security update page notes: “Keeping your software up to date is one of the most important things you can do to keep your Apple product safe.”
Moussouris said users should update their operating systems as soon as possible. “The exposure window for consumers is between when a patch is available and when they actually apply it,” she said, and noted that Apple doesn’t always do automatic updates.
“Apple needs to enter a modern era of transparency around security vulnerabilities and make it that much easier,” said Moussouris, “so that the average person can set it up and forget about it and have a lot more automation.”
Apple declined to offer additional comments on the security vulnerability.