Apple released updates to iOS 14.4 and iPadOS 14.4 on Tuesday after an anonymous researcher found that attackers may be able to hack certain iPhones, iPads and iPods remotely.
On the company’s support page, Apple described two security threats that have since been fixed in the latest operating system update, version 14.4. Both security threats could already have been exploited, according to Apple.
The company stated that a vulnerability associated with the WebKit web browser rendering engine could allow remote hackers to gain access to a device.
Katie Moussouris, CEO and founder of cybersecurity company Luta Security, said it meant an attacker could control a user’s phone. “They zombified this device,” she said. “You control it remotely.”
And since the threat is related to web surfing, she noted, “Your regular web surfing can lead to you being compromised without really doing much else,” she said. “And that’s a problem.”
A second security threat described by Apple concerns a “malicious application” that can potentially elevate user rights. In theory, Moussouris said, a malicious actor could take advantage of this with an app. “It’s possible that a vector is almost like an app’s sleeping cell,” she said. “If you’re vulnerable, it tries to take advantage of it.”
This threat is known as a Kernel Vulnerability. “Kernel vulnerabilities will inherently be more severe.” Moussouris said: “[The kernel] is part of the operating system’s brain. It’s supposed to be the best protected … I’m sure you know this is a serious problem. “
Apple said they fixed the issue in their latest operating system update and urged iOs and iPadOS users to update their devices. The website’s security updates page says, “Keeping your software updated is one of the most important things you can do to keep your Apple product safe.”
Moussouris said users should update their operating systems as soon as possible. “The consumer window is between the time a patch becomes available and the time they actually apply that patch,” she said, noting that Apple doesn’t always update updates automatically.
“Apple needs to enter a modern age of visibility into security vulnerabilities and make it a lot easier,” said Moussouris, “so the average person can set it and forget it and have a lot more automation.”
Apple declined to provide additional comments on the vulnerability.