iOS 14.4 Patches Vulnerabilities That May Have Been Actively Exploited

[MacRumors]

Apple today released iOS 14.4 and iPadOS 14.4, and along with a handful of minor new features, the software introduces security fixes for three vulnerabilities that may have been used in the wild.

According to a security support document shared by Apple, there were kernel and WebKit vulnerabilities affecting all iPhones and iPads running iOS or iPadOS 14. The kernel vulnerability could allow a malicious application to elevate privileges, and Apple says it is aware of a report that the issue may have been actively exploited.

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.
Description: A race condition was addressed with improved locking.
CVE-2021-1782: an anonymous researcher

Apple also says a WebKit issue that allowed for a remote attacker to cause arbitrary code execution may have been actively exploited.

Available for: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A logic issue was addressed with improved restrictions.
CVE-2021-1871: an anonymous researcher
CVE-2021-1870: an anonymous researcher

There is no other information available at this time, but Apple's support document says that additional information will be "available soon."

Given that significant vulnerabilities are patched in the iOS 14.4 and iPadOS 14.4 updates, those running iOS 14 should update as soon as possible.

Article Link: iOS 14.4 Patches Vulnerabilities That May Have Been Actively Exploited

 

[Baymowe335]

Usual support. Good.

 

[zorinlynx]

I wonder if these holes are in iOS 12; lots of iPhone 6 users still out there, like my mom.

 

[jz0309]

Good, in the process of upgrading right now. Was not worth it for the features but had anticipated something like this.

 

[Natzoo]

Good update but doesn't it make third-party replacements harder at the same time? I forgot the video but 14.4 locks down more parts to the device. Going to update in a few days just to make sure there aren't any bugs.

 

[Realityck]

Been using IPadOS 14.4 throughout its beta/RC cycle, not like most will encounter bugs.

 

[Apple_Robert]

I am glad Apple is so proactive in this area.

 

[_Spinn_]

All the more reason to grab this update right now. I'm glad Apple is proactive about security/patches.

 

[mclarenf1]

Oh.......and we won't mention that when you upgrade you will loose your Parler and Telegram accounts

 

[jonnysods]

I wonder if these holes are in iOS 12; lots of iPhone 6 users still out there, like my mom.

Looks like an iOS14 bug so she should be ok!

 

[FNH15]

I wonder if these holes are in iOS 12; lots of iPhone 6 users still out there, like my mom.

If it’s present in iOS 12, chances are Apple will patch it - they seem to be supporting the most recent iOS and one before it (iOS 13 doesn’t count as all iOS 13 devices can upgrade to 14).

 

[0ID0]

What about the soooo long trumpeted PRIVACY dingdong? The trackers and data thief's are still not prepared?
Fingerprinting not ready? And Apple obediently waiting for them. Phew!

 

[LFC2020]

Great work apple, you don’t get this kind of support with android, may the walled garden continue to blossom. 🌹🌸🌻

 

[Unregistered 4U]

The security researchers I admire? These ones:

CVE-2021-1782: an anonymous researcher
CVE-2021-1871: an anonymous researcher
CVE-2021-1870: an anonymous researcher

Never have to worry about if they’re doing it to drive business or for publicity

 

[randyhudson]

The security researchers I admire? These ones:

CVE-2021-1782: an anonymous researcher
CVE-2021-1871: an anonymous researcher
CVE-2021-1870: an anonymous researcher

Never have to worry about if they’re doing it to drive business or for publicity

It is typical for the reporter and the technical details of the vulnerability to be withheld for a period of time while affected systems can be upgraded.

Apple pays bounties, so most likely the reporter is known.

 

[TheDailyApple]

And this, folks, is why one should always stay up to date.

 

[hot-gril]

Time for me to stop hitting "later" on the updates. These are serious vulnerabilities.

 

[zephonic]

this an issue for those of us still on iOS 12 or 13?

 

[aesc80]

Very appreciative of how proactive Apple is with their OS. It's def one of the reason to stay on point with their updates (granted, some can be a pain, but it's times like these where the benefits outweigh the risks).

 

[Apple_Robert]

And this, folks, is why one should always stay up to date.

Exactly. Too many people around here don't update their device because they afraid of performance. In my opinion, security takes precedence.

 

[now i see it]

Yes you Joe Blow Nobody with your iPhone 6, Nation state hackers are bent on destroying your life by compromising your iPhone

 

[Unregistered 4U]

It is typical for the reporter and the technical details of the vulnerability to be withheld for a period of time while affected systems can be upgraded.

Apple pays bounties, so most likely the reporter is known.

Oh, they’re known for the work they do with the individuals they work with. I’m talking about the “security researchers” that make it their week’s work to go on and on about a vulnerability that requires:
1. Physical access to your device, that has been
2. Unlocked by you and
3. You’re also giving them additional personal information about you

I’ve always said the REAL researchers are the ones you don’t know the name of.

 

[OhneFrust]

Wasn't Apple going to give us cross app tracking prevention with this update? Or has it been delayed to 14.5?

 

[Exhale]

Yes you Joe Blow Nobody with your iPhone 6, Nation state hackers are bent on destroying your life by compromising your iPhone

The exploits described in the article are the type of where its enough to simply visit a bad website for it to infect your system. And with root privileges no less.

 

[MacBH928]

Seriously, did any one ever been attacked by these vulnerabilities? I keep hearing about them on updates, but people seem to run years outdated software just fine. I am not saying this is bad, just wondering if these vulnerabilities are all that serious.