Apple released iOS 14.4, the update that contains some security fixes for three vulnerabilities, which are said to be under active attack by hackers.
The tech giant said in the update pages that the three bugs affecting the iPhone and iPad “may have already been actively exploited”. Details of the vulnerabilities are scarce and an Apple spokesperson refused to make any statements other than those in the notice.
It is not known who is exploiting the vulnerabilities or who may have fallen victim to them. Apple has not disclosed whether the attack targeted a small subset of users or whether it was a larger attack. The company granted anonymity to the user who discovered and reported the bug.
Two errors are found in WebKit, the browser engine that powers Safari, and in the kernel, the heart of the operating system. Some successful exploits use a series of associated vulnerabilities rather than one flaw. It is not uncommon for attackers to first discover vulnerabilities in device browsers as a way to gain access to the underlying operating system.
Apple said more details would be available soon, but did not say when. It’s a rare admission from Apple, which usually takes pride in its security picture, that its customers can be exposed to an active attack by hackers.
In 2019, Google security researchers discovered a number of malicious websites that contain code that silently hack victims’ iPhones. TechCrunch revealed that the attack was part of an operation, possibly by the Chinese government, to spy on some Muslim tribes. In response, Apple contested some of Google’s findings in an equally rare public statement, as Apple faced more criticism for downplaying the severity of the attack.
Last month, the Citizen Lab found dozens of journalists hacked iPhones with a previously unknown vulnerability to install spyware developed by the Israel-based NSO Group.
In the absence of details, iPhone and iPad users should update to iOS 14.4 as soon as possible.