Apple released a security alert as part of iOS 14.4 and iPadOS 14.4 this week that warns of security flaws that may have been “actively exploited.”
The technology company said in an advisory published on Tuesday that at least three bugs were discovered, one in the Kernel—a program at the core of the operating system—and two more in WebKit, an engine used in the Safari internet browser.
If discovered, the Kernel vulnerability could be exploited to let a malicious app “elevate privileges” of an attacker. The fix is now available for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation), Apple said.
The WebKit bugs could have potentially been abused to let an attacker remotely cause “arbitrary code execution,” and the fix has been made available for the same range of devices. The researcher who reported the vulnerabilities was given anonymity.
Broadly, arbitrary code execution is when an attacker is able to run commands or code on a victim’s device, in this case it seems without needing physical access.
For users of the listed phones or tablets, however, the advisory came with an ominous warning: “Apple is aware of a report that this issue may have been actively exploited.”
For now, further details about the scope of the bugs have not been revealed and, as reported by TechCrunch, the identity of any attackers also remains a mystery.
Apple said in the notice that it doesn’t “disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.” But a line at the bottom of the advisory confirmed that additional details would be available soon.
Users are urged to update their iPhones, iPads and iPods with the latest iOS software in order to stay protected against any hackers who could exploit the vulnerabilities.
Apple says that it welcomes reports about bugs from security researchers, developers and customers, offering financial rewards to those who uncover serious problems.
Under its bug bounty program, for example, anyone who was to find a way to bypass a device’s lock screen could be in for a $100,000 payday, while gaining unauthorized access to iCloud account data on Apple Servers is also worth $100,000.
For the most series of attack discoveries, including a zero-click kernel code execution with persistence and another bypass, the top reward is listed as being $1,000,000.
With its premium products and “walled garden” approach to the app store, Apple has created a reputation for taking security seriously. On its website, the company claims it “continues to push the boundaries of what is possible in security and privacy.”
It says: “As attackers continue to increase the sophistication of their exploit techniques, Apple is dynamically controlling memory execution privileges for iPhone and iPad by leveraging custom CPU instructions—unavailable on any other mobile devices—to thwart compromise. Just as important as the innovation of new security capabilities, new features are built with privacy and security at the centre of their design.”