Apple iPhone and iPad users, it’s time to install another iOS upgrade.
Apple on Friday (March 26) pushed out emergency updates for iOS and iPadOS to fix a zero-day bug in WebKit, the browser thread engine that underlies Safari, and other browsers running on Apple mobile devices.
Apple Security Advisory dryly noted that “Apple is aware of a report that this issue may have been actively exploited,” ie has already been used to hack iPhones and iPads. Updating the device to iOS 14.4.2 and iPadOS 14.4.2 fixes the issue.
“Zero-day” security errors are those used in attacks before software developers become aware of the errors ̵
How to update your iPhone or iPad
Fortunately, updating an iPhone or iPad is a bit much. In most cases, you will only receive a notification that an update is ready. Tap it to continue.
You can also force an update by making sure your device is connected to the internet through a local Wi-Fi network, then go to Settings> General> Software update and tap Download and install.
If there is no Wi-Fi available, you can connect your iDevice to a previously “trusted” computer using a USB cable. On Macs running macOS 10.15 Catalina or later, the phone should appear in the Finder. On Macs running macOS 10.14 Mojave or earlier, open iTunes where the iPhone will appear.
Find the iPhone page in Finder or iTunes, click General or Preferences, and then click Check for Update. If an update is displayed, click Download and update.
The bug allows a malicious website or webpage to trigger “universal cross-site scripting” in WebKit, says Apple.
This would actually be very bad, as it means ne’er-do-wells can post code on websites that can redirect you to malicious websites or even steal information, such as passwords or credit card numbers, from your browser.
This is the second emergency update for iPhones and iPads this month, following an update earlier in March that fixed another WebKit bug.
Apple said that this new edition “was addressed by improved control over the life of the object,” although we can only guess what it means.
Credit for the error was given to Clément Lecigne and Billy Leonard, both researchers at Google’s Threat Analysis Group.
We look at how our readers use VPN for an upcoming in-depth report. We’d love to hear your thoughts in the survey below. It does not take more than 60 seconds of your time.
>> Click here to start the survey in a new window