Apple has released new versions of iOS, iPadOS, and watchOS, and if you have an iPhone, iPad, or Apple Watch the official advice is that you should update them sooner rather than later. iOS 14.4.2, iPadOS 14.42, and watchOS 7.3.3 all fix an active vulnerability, Apple says, which it believes has already been exploited.
“Processing maliciously crafted web content may lead to universal cross site scripting,” the company says in its security report about the new software. “Apple is aware of a report that this issue may have been actively exploited.”
The fix, Apple says, was “improved management of object lifetimes.” The company had been notified of the security loophole by two members of the Google Threat Analysis Group, Clement Lecigne and Billy Leonard. That team works to identify potential security issues in popular software, and has been responsible for identifying several such problems in iOS and iPadOS before now.
Indeed, one of those researchers – along with a counterpart at Microsoft’s Browser Vulnerability Research team – was responsible for discovering the problem that led to Apple pushing out iOS 14.4.1, iPadOS 14.4.1, and macOS 11.2.3 earlier this month. That was designed to patch a WebKit vulnerability in Apple’s Safari browser engine. At the time, however, Apple did not report any known issues where the exploit had been taken advantage of in the wild.
The recommendation today is that anybody with a potentially impacted device update their software as soon as possible. For iOS and iPadOS, that means the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation). It also includes the latest generations of Apple Watch.
You can download the new software on an iPhone or iPad by heading into the settings, selecting “General” and then choosing “Software Update”. The update is approximately 204 MB in size. To update an Apple Watch, you can use the Watch app on your iPhone. By default, Apple attempts to install new watchOS versions – when set to do so automatically – overnight, though you can nudge it to start that process manually, too.