Apple released two unexpected iOS updates on Friday, including iOS 14.4.2 and iOS 12.5.2, explaining at the time the updates included “ important security updates and are recommended for all users” rather than any major new features. The fact that Apple released two distinct iOS builds further reinforced the idea that the update was fixing some security issues. That’s because the update is also meant to service the iOS devices that can’t run iOS 14, the latest software version for iPhone and iPad. iOS 12.5.2 will work on the older iPhones and iPads that never made the jump to iOS 13 and iOS 14.
Since then, we’ve learned exactly what sort of vulnerability Apple fixed. It’s the kind of sophisticated software attack that uses previously unknown issues in code, zero-day vulnerabilities, that some nation-states might employ in their cyber operations. This particular attack originated from a US ally and was a counterterrorism operation that Google thwarted. But the security vulnerabilities that Google identified patched software issues that malicious hackers could have discovered and employ.
Apple explained in a support document that iOS 14.4.2 and iPadOS 14.4.2 fix a WebKit issue. WebKit powers Safari and other internet browsers available on iPhone and iPad. Apple described the software issue as follows, indicating that the issue may be actively exploited:
Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Apple is aware of a report that this issue may have been actively exploited.
The WebKit issue is part of a complex attack that involved 11 different zero-day hacks impacting iOS, Android, and Windows devices. Google’s Project Zero security team first detailed the issue in early January, following up on the matter in mid-March. The security exploits were in use since February 2020, according to Google’s experts. The researchers pointed out the attacker’s sophistication and speed but did not detail its identity.
A report from MIT Technology Review said that the hack that Google found was actually a counterterrorism operation from an unspecified US ally.
The report also claimed that the discovery of the 11 zero-day bugs sparked some debate inside Google, which might have known who the hackers were and what the operation was. Some Google employees argued that counterterrorism operations shouldn’t be disclosed to the public, while others said that Google was within its rights.
“Project Zero is dedicated to finding and patching zero-day vulnerabilities and posting technical research designed to advance the understanding of novel security vulnerabilities and exploitation techniques across the research community,” Google said in a statement. “We believe sharing this research leads to better defensive strategies and increases security for everyone. We don’t perform attribution as part of this research.”
The hackers used so-called “watering hole” techniques to inject malicious code into unknown websites, which would then deliver the payload via Chrome and Safari to targeted devices. If the MIT Technology Review report is accurate, then Western spies were probably targeting specific categories of people, visiting particular sites. But now that the vulnerabilities were disclosed, they remain a risk for all iPhone, Android, and Windows users, as other hackers might attempt taking advantage of them. That’s why it’s critical to update all your devices to the latest software versions as fast as possible. iOS 14.4.2 and iOS 12.5.2 will cover most of the iPhones and iPads currently in use. Android and Windows users should also install security updates as soon as they’re available.