With a surprising admission, Apple says it is sending an update to iOS and iPadOS to fix vulnerabilities that hackers are actively exploiting. According to Apple, the bugs caused third parties to “cause arbitrary code execution,”
The news comes from Apple’s support page for iOS 14.4. In it, Apple states under the Kernel and Webkit section:
Impact: A remote attacker may cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Companies that realize potential vulnerabilities may exist, and closing those gaps is not uncommon. But it’s a rare admission from Apple to see that the problem went unnoticed before hackers started exploiting the bug. Exactly what the bad actors achieved isn’t clear, but the ability to execute arbitrary code is cause for concern.
Unfortunately, we know very little because Apple has not provided details. We are not sure how many people were affected or what the hackers achieved. With the right sequence of events, it can be very bad, but it is just as possible that the overall effect is relatively benign. But all things considered, the former is much more likely. Especially considering that they are multiple vulnerabilities that can be used together.
Apple says it will release more details later, and that will likely be sometime after 14.4 is widely accepted. By providing more information now, other hackers could get the tools to reproduce the vulnerability before everyone is protected.
If you have an iPhone 6s and above, iPad Air 2 and above, iPad mini 4 and above, and iPod touch (7th generation), check for updates now. Or download the update as soon as possible if you do not have a WiFi connection. Prevention is better than cure.