Apple’s latest iOS 14.4 and iPadOS 14.4 updates include fixes for two zero-day security flaws that the company believes may have been exploited in the wild.
The vulnerabilities exist in the kernel and WebKit frameworks, Apple said in a security updates document. They affected all devices capable of running iOS 14 or iPadOS 14, but were patched in the iOS 14.4 and iPadOS 14.4 updates released on Tuesday.
According to Apple, the kernel vulnerability may have allowed attackers to elevate privileges. On the other hand, the WebKit flaw could have been used by a remote attacker to cause arbitrary code execution.
Apple says it is aware of reports that both vulnerabilities “may have been actively exploited” in the wild. In other words, both flaws are zero-days. No additional information is available, but Apple says more details will be coming soon.
Additionally, the watchOS 7 and tvOS 14.4 updates released on Tuesday also fix what appear to be similar kernel issues that could have been used to elevate privileges in an attack.
Because of the nature of the vulnerabilities and the fact that exploits may exist, it is recommended that users upgrade to iOS 14.4 and iPadOS 14.4 as soon as possible.