Apple iPhone and iPad users will need to install another iOS upgrade.
Apple released emergency updates for iOS and iPadOS on Friday (March 26th) to address a zero-day bug in WebKit, the browser rendering engine that powers Safari and other browsers on Apple mobile devices.
The Apple security notice dryly notes that “Apple is aware that this problem may have been actively exploited,” that is, it is already being used to hack iPhones and iPads. Updating the device to iOS 14.4.2 and iPadOS 14.4.2 fixes the problem.
“Zero-day” vulnerabilities are those that are used in an attack before software developers become aware of the flaws. The developers have “zero days” to correct the deficiencies.
How to update your iPhone or iPad
Fortunately, updating an iPhone or iPad is a breeze. In most cases, all you will get is a notification that an update is ready. Tap on it to continue.
You can also force an update by making sure your device is connected to the internet using a local Wi-Fi network. Then go to Settings> General> Software Update and tap on Download and Install.
If WLAN is not available, you can connect your iDevice to a previously “trusted” computer using a USB cable. On Macs with macOS 10.15 Catalina or higher, the phone should appear in the Finder. On Macs with macOS 10.14 Mojave or earlier, open iTunes where you want the iPhone to appear.
Find the iPhone page in Finder or iTunes, click General or Preferences, then click Check for Updates. If you see an update, click Download and Update.
Very bad indeed
The bug causes a malicious website or webpage to trigger “universal cross-site scripting” in WebKit, Apple says.
That would be very bad indeed as it means Ne’er-Do-Wells can embed code in websites that can redirect you to malicious websites or even steal information like passwords or credit card numbers from your browser.
This is the second emergency update for iPhones and iPads this month a patch earlier in March that fixed another WebKit bug.
Apple said this new problem “has been addressed through improved object life management,” although we can really only guess what that means.
Clément Lecigne and Billy Leonard, both researchers in Google’s Threat Analysis Group, were recognized for finding the bug.
We take a look at how our readers are using VPN for an upcoming in-depth report. We’d love to hear your thoughts in the poll below. It won’t take more than 60 seconds.