On Tuesday, January 26, Apple released iOS and iPadOS version 14.4, which address at least three zero-day vulnerabilities that have been actively exploited in the wild, as well as updates for watchOS and tvOS. Here’s a brief overview of the security flaws and what Apple has done to fix them.
Apple says that because of these twin WebKit bugs, “A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” The company says it fixed the issue by addressing a “logic issue […] with improved restrictions.”
Reading between the lines, it sounds as though a victim’s iPhone or iPad could have been compromised (i.e. hacked) or exploited by an attacker, simply by the victim viewing a page or opening an e-mail created or modified by an attacker. Notably, this kind of attack may not necessarily require the victim to click on a link within the theoretical page or e-mail.
According to the company, “A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.”
Regarding the fix, Apple says that: “A race condition was addressed with improved locking.”
A race condition is a scenario in which a task or procedure can be done out of the proper order. Race conditions can sometimes enable an attacker to do things they shouldn’t be able to do under normal circumstances.
A privilege elevation (or privilege escalation) vulnerability enables attacks that would normally only be possible by someone with administrator or root permissions. Such vulnerabilities can make it possible to pull off attacks that may not be possible under normal conditions, or they can enable attacks to do more damage.
This kernel bug does not merely affect iOS and iPadOS. The same kernel bug was also patched in tvOS 14.4 and watchOS 7.3, both of which were released simultaneously with the iOS and iPadOS updates on Tuesday.
Apple usually releases macOS updates simultaneously iOS and other operating system updates. Occasionally, however, the urgency of an in-the-wild exploit warrants releasing some patches before all of them are ready to be released.
That seems to be the case here. On Monday, Apple released the second release candidate for macOS 11.2, so presumably the macOS updates will arrive soon.
Update: Apple deployed a third release candidate for macOS 11.2 on Thursday, January 28, and had not released the final version to the public by Friday. This seems to indicate that we may not see the next macOS release until around next Tuesday, February 2, or perhaps later.
At the bottom of each page listing the iOS 14.4/iPadOS 14.4, tvOS 14.4, and watchOS 7.3 security update details, Apple noted in italics, “Additional details available soon.”
When Apple releases operating system security updates out of sync with one another, the company often holds back some details until the remaining operating systems have been patched. This may especially be true if disclosing some details could lead attackers to guess at how to exploit the OS for which patches are not yet available.
There’s a good chance that Apple will release macOS Big Sur 11.2—and presumably security-only updates for Catalina and Mojave—sometime next week, so keep an eye out for those updates.
We’ll cover any macOS-specific security bugs, as well as any of the security bugs in this week’s OS releases that Apple hasn’t yet told us about, right here on The Mac Security Blog.
Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.
And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 
