Update to iOS 14.2 now — Apple issues emergency iPhone security update

iPhone 12 review
(Image credit: Tom's Guide)

Apple has pushed out an emergency update to iOS, patching three "zero-day" security flaws that are already being used by hackers to attack iPhone, iPads and iPods. Your iDevices need to be updated to iOS 14.2 and iPadOS 14.2.

"Apple is aware of reports that an exploit for this issue exists in the wild," the company says next to the description of each flaw in an Apple security advisory released today (Nov. 5). 

Apple didn't call these "zero-day" flaws, but that's what they are — vulnerabilities that are attacked by hackers before the defenders have a chance to fix them.

The flaws affect the iOS/iPadOS font parser and the iOS/iPadOS kernel. The font-parser flaw "may lead to arbitrary code execution" — i.e., a hack — when "processing a maliciously crafted font," says Apple's advisory.

In the case of the second flaw, "a malicious application may be able to disclose kernel memory," which would expose passwords, keychains and other sensitive data. 

The third flaw would let "a malicious application ... execute arbitrary code with kernel privileges," which is pretty much full system takeover.

The updates to iOS and iPadOS 14.2 fix 21 other security flaws, none of which are under active attack. 

Apple also upgraded iOS 12 to version 12.4.9 to fix the three zero-day flaws plus one older FaceTime flaw on devices that can't run iOS 14, including the iPhone 5s, 6 and 6 Plus, plus the iPad Air, iPad mini 2, iPad mini 3 and 6th-generation iPod touch.

Who's attacking what?

Reading between the lines, we get the fuzzy outlines of a multi-stage attack chaining together these three actively exploited flaws. 

First, use the font-parser flaw to remotely install a malicious app via a webpage; then use the malicious app and one kernel flaw to steal passwords; third, use the malicious app and the other kernel flaw to install even more malware.

And that sounds like a state-sponsored attack against specifically selected targets. China, for example, has used similar attacks on both iOS and Android devices to spy on ethnic Tibetan and Uyghur dissidents. 

Criminal groups just out for money could also pull this sort of thing off, but they usually find it more profitable to stick to phishing attacks, adware and other low-hanging fruit.

These three flaws were discovered by the very busy researchers at Google Project Zero, whose technical lead Ben Hawkes disclosed them on Twitter.

Project Zero researchers in the past couple of weeks have also uncovered two zero-day flaws in Chrome and Chromium-based browsers and one zero-day flaw in Windows

All these flaws are also being actively exploited. The Windows one hasn't been patched yet, but it won't work without one of the Chrome flaws, both of which have been fixed with browser updates.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
Apple iPhone 16 held in the hand.
iOS 18.3.1 — update your iPhone right now to fix critical zero-day vulnerability
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
MacBook Pro 16-inch 2021 sitting on a patio table
Critical macOS flaw puts your data and cameras at risk — update right now
Latest in iPhones
WWDC logo on yellow background
Apple WWDC 2025 date set for June 9 — iOS 19, Apple Intelligence and more expected
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Apple maps logo on iPhone screen
I avoided Apple Maps for trip planning — but these iOS 18 features are changing my mind
New emojis with iOS 18.4 beta release.
iOS 18.4 beta brings 8 new emoji to your iPhone — here's all the new options
An image of an iPhone screen showing the Safari app icon in the center
I got tired of Safari revealing my web searches in iOS 18.4 — this setting fixes that
iPhone Flip Concept
Foldable iPhone delays — there’s a bigger problem going on at Apple
Latest in News
NYTimes Connections
NYT Connections today hints and answers — Thursday, March 27 (#655)
The Signal app logo displayed on an iPhone, with a screenshot of the Signal app in use displayed on a monitor in the background.
Signal — everything you need to know about the app at the center of the group chat scandal
Robert Downey Jr. revealed as Doctor Doom for "Avengers: Doomsday"
Marvel reveals 'Avengers: Doomsday' casting — the latest updates and every actor
Wyze Cam v3
Wyze adds AI-powered filter to its security cameras to cut down on notifications that are “no big deal”
Mark Grayson (Steven Yeun) as Invincible in his blue suit during a scene from "Invincible" season 3 on Prime Video.
'Invincible' season 4 release window just announced — here's when it's coming
Microsoft Copilot app running on a phone with Microsoft logo in background
Microsoft 365 Copilot debuts new research tools for work: here's what that means