Apple released iOS 14.4 and iPadOS 14.4 updates on Tuesday after an anonymous researcher found that attackers may be able to remotely hack certain iPhones, iPads and iPods.
On the company’s support page, Apple outlined two security threats that have since been fixed in the newest operating system update, version 14.4. Both security threats, Apple said, may have already been exploited.
The company explained that one vulnerability, which is linked to the web browser rendering engine, WebKit, may allow remote hackers access to a device.
Katie Moussouris, CEO and founder of cybersecurity firm Luta Security, said that means an attacker could control a user’s phone. “You’ve zombified that device,” she said. “You are controlling it from a distance.”
And since the threat is tied to internet browsing, she noted, “Your regular web browsing may cause you to be held compromised, without having to do really much of anything else,” she said. “And that’s a problem.”
A second security threat Apple outlined involves a “malicious application” that may be able to elevate user privileges. In theory, Moussouris said, a malicious actor could exploit this with an app. “It is possible that a vector could be, almost like a sleeper cell of an app,” she said. “If you’re vulnerable, it tries to exploit it.”
This threat is known as a kernel vulnerability. “Kernel vulnerabilities, just by their nature are going to be more serious.” Moussouris said, “[The kernel] is part of the brain of the operating system. It’s supposed to be the most protected… For sure, you know this is a serious issue.”
Apple said they’ve fixed the issue in their latest operating system update, and encouraged iOs and iPadOS users to upgrade their devices. The site’s security update page notes, “Keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security.”
Moussouris said users should update their operating systems as quickly as possible. “The window of exposure for consumers is between that time when a patch is available and when they actually apply that patch,” she said, and noted that Apple doesn’t always make updates automatic.
“Apple does need to come into a modern age of transparency around security vulnerabilities and make it a lot easier,” Moussouris said, “for the average person to set it and forget it and have a lot more automation.”
Apple declined to offer additional comments on the security vulnerability.