Click to Skip Ad
Closing in...

Update your iPhone and iPad right now to protect against active exploit

Published Mar 29th, 2021 7:31AM EDT
iPhone Security Update
Image: Apple Inc.

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Apple released two unexpected iOS updates on Friday, including iOS 14.4.2 and iOS 12.5.2, explaining at the time the updates included “ important security updates and are recommended for all users” rather than any major new features. The fact that Apple released two distinct iOS builds further reinforced the idea that the update was fixing some security issues. That’s because the update is also meant to service the iOS devices that can’t run iOS 14, the latest software version for iPhone and iPad. iOS 12.5.2 will work on the older iPhones and iPads that never made the jump to iOS 13 and iOS 14.

Since then, we’ve learned exactly what sort of vulnerability Apple fixed. It’s the kind of sophisticated software attack that uses previously unknown issues in code, zero-day vulnerabilities, that some nation-states might employ in their cyber operations. This particular attack originated from a US ally and was a counterterrorism operation that Google thwarted. But the security vulnerabilities that Google identified patched software issues that malicious hackers could have discovered and employ.

Apple explained in a support document that iOS 14.4.2 and iPadOS 14.4.2 fix a WebKit issue. WebKit powers Safari and other internet browsers available on iPhone and iPad. Apple described the software issue as follows, indicating that the issue may be actively exploited:

Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.

The WebKit issue is part of a complex attack that involved 11 different zero-day hacks impacting iOS, Android, and Windows devices. Google’s Project Zero security team first detailed the issue in early January, following up on the matter in mid-March. The security exploits were in use since February 2020, according to Google’s experts. The researchers pointed out the attacker’s sophistication and speed but did not detail its identity.

A report from MIT Technology Review said that the hack that Google found was actually a counterterrorism operation from an unspecified US ally.

The report also claimed that the discovery of the 11 zero-day bugs sparked some debate inside Google, which might have known who the hackers were and what the operation was. Some Google employees argued that counterterrorism operations shouldn’t be disclosed to the public, while others said that Google was within its rights.

“Project Zero is dedicated to finding and patching zero-day vulnerabilities and posting technical research designed to advance the understanding of novel security vulnerabilities and exploitation techniques across the research community,” Google said in a statement. “We believe sharing this research leads to better defensive strategies and increases security for everyone. We don’t perform attribution as part of this research.”

The hackers used so-called “watering hole” techniques to inject malicious code into unknown websites, which would then deliver the payload via Chrome and Safari to targeted devices. If the MIT Technology Review report is accurate, then Western spies were probably targeting specific categories of people, visiting particular sites. But now that the vulnerabilities were disclosed, they remain a risk for all iPhone, Android, and Windows users, as other hackers might attempt taking advantage of them. That’s why it’s critical to update all your devices to the latest software versions as fast as possible. iOS 14.4.2 and iOS 12.5.2 will cover most of the iPhones and iPads currently in use. Android and Windows users should also install security updates as soon as they’re available.

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2008. When he’s not writing about the most recent tech news for BGR, he brings his entertainment expertise to Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming almost every new movie and TV show release as soon as it's available.