Apple Issues Critical iPhone Updates
Apple issued a warning about several code-execution vulnerabilities. Experts are recommending users to update to version 14.7 of iOS and iPadOS as soon as possible. The bugs includes some remotely exploitable code execution flaws. The patches address a total of 40 vulnerabilities, 37 are in iPhones. The most severe of the flaws could allow for arbitrary code execution with kernel or root privileges. The security updates also fix bugs in macOS Big Sur 11.5 and in macOS Catalina.
There are no reports of these vulnerabilities being exploited in the wild. According to the Multi-State Information Sharing and Analysis Center, the risk to large and medium-sized government and business organizations are high. The flaws are rated medium-risk for small business or government organization, while the risk to home users is considered low.
Four of the security updates for iOS 14.7 are for WebKit, the engine that powers Apple's Safari browser. All four could lead to arbitrary code execution. A successful attack would require a user to download malicious web content. The vulnerabilities are due to type confusion, use-after-free and memory-corruption issues in WebKit. IOS 14.7 also fixes a known issue where joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution.
Security experts are urging Apple users to install the patches immediately. To update the system, go to Settings > General > Software Update and follow the prompts. Experts are also advising users to run all software as a non-privileged user to diminish the effects of a successful attack. Users should not download, accept or execute files from untrusted and unknown sources. Users should not visit untrusted websites or follow links provided by untrusted or unknown sources.
Software will always have flaws, particularly with more functionality being added to a platform. But Zero-click flaws where attack can be carried out by perfect strangers are in a class by themselves. No device, and no operating system, is 100 percent error-free. Bug-bounty programs can help. Fixing these bugs is not easy, in order to reinstate that claim of being the most secure device, it will be crucial for Apple to find and fix the bug as fast as possible and to report the details about the bugs.