Apple just launched iOS 14.4 and iPadOS 14.4, and the update notes consist of some worrying language (by means of TechCrunch). Under kernel updates, Apple keeps in mind that “a harmful application might have the ability to elevate benefits,” and under WebKit updates, it says “a remote aggressor may have the ability to trigger arbitrary code execution.” After both statements, the upgrade notes state, “Apple is aware of a report that this issue might have been actively exploited.”
What this means, broadly, is that you must update your iOS devices as quickly as possible. The update notes do not have any additional information, so for now, we don’t understand who might have used the security breach or what they may have been using it for.
However it was used, the security breaches aren’t minor ones. An application having the ability to elevate opportunities implies that it could do things it’s not expected to be able to do. Again, there aren’t any information, but broadly speaking, it means a malicious app might’ve bypassed some of Apple’s security protections.
The WebKit exploit isn’t better. A remote opponent having the ability to trigger arbitrary code execution implies an assailant might do things on your phone just from you checking out a site they control.
This isn’t to say it’s time to go into overall cyber-lockdown mode, but it does mean that 14.4 isn’t an upgrade you want to delay for a while. In the meantime, Apple states it’ll supply additional details quickly, so we’ll watch out to find out more about the exploits.