On Tuesday, January 26, Apple released iOS and iPadOS version 14.4, which address at least three zero-day vulnerabilities that have been actively exploited in the wild, as well as updates for watchOS and tvOS. Here’s a brief overview of the security flaws and what Apple has done to fix them.
The WebKit bugs
Two of the three zero-day bugs were addressed in WebKit—Apple’s page rendering engine, which is used by Apple’s Safari browser and many parts of Apple operating systems.
Apple says that because of these twin WebKit bugs, “A remote attacker may be able to cause arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” The company says it fixed the issue by addressing a “logic issue […] with improved restrictions.”
Reading between the lines, it sounds as though a victim’s iPhone or iPad could have been compromised (i.e. hacked) or exploited by an attacker, simply by the victim viewing a page or opening an e-mail created or modified by an attacker. Notably, this kind of attack may not necessarily require the victim to click on a link within the theoretical page or e-mail.
The kernel bug
Apple has also fixed a serious flaw in the kernel, the core component of Apple’s operating systems.
According to the company, “A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.”
Regarding the fix, Apple says that: “A race condition was addressed with improved locking.”
A race condition is a scenario in which a task or procedure can be done out of the proper order. Race conditions can sometimes enable an attacker to do things they shouldn’t be able to do under normal circumstances.
A privilege elevation (or privilege escalation) vulnerability enables attacks that would normally only be possible by someone with administrator or root permissions. Such vulnerabilities can make it possible to pull off attacks that may not be possible under normal conditions, or they can enable attacks to do more damage.
This kernel bug does not merely affect iOS and iPadOS. The same kernel bug was also patched in tvOS 14.4 and watchOS 7.3, both of which were released simultaneously with the iOS and iPadOS updates on Tuesday.
Where are the macOS updates?
Interestingly, Apple has yet to release corresponding macOS updates for Big Sur (macOS 11) or the two previous Mac operating systems, macOS Catalina (10.15) and macOS Mojave (10.14).
Apple usually releases macOS updates simultaneously iOS and other operating system updates. Occasionally, however, the urgency of an in-the-wild exploit warrants releasing some patches before all of them are ready to be released.
That seems to be the case here. On Monday, Apple released the second release candidate for macOS 11.2, so presumably the macOS updates will arrive soon.
Update: Apple deployed a third release candidate for macOS 11.2 on Thursday, January 28, and had not released the final version to the public by Friday. This seems to indicate that we may not see the next macOS release until around next Tuesday, February 2, or perhaps later.
Other bugs patched, but not yet announced
When Apple releases operating system security updates out of sync with one another, the company often holds back some details until the remaining operating systems have been patched. This may especially be true if disclosing some details could lead attackers to guess at how to exploit the OS for which patches are not yet available.
There’s a good chance that Apple will release macOS Big Sur 11.2—and presumably security-only updates for Catalina and Mojave—sometime next week, so keep an eye out for those updates.
We’ll cover any macOS-specific security bugs, as well as any of the security bugs in this week’s OS releases that Apple hasn’t yet told us about, right here on The Mac Security Blog.
How can I learn more?
On this week’s episode of the Intego Mac Podcast, Intego’s experts discuss these new vulnerabilities and a lot more. Be sure to subscribe to make sure you never miss the latest episode!
Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.