iPhones under attack via zero-day flaw — what to do now
Browser flaw seems to be under active exploitation
Apple iPhone and iPad users, it's time to install another iOS upgrade.
Apple on Friday (March 26) pushed out emergency updates for iOS and iPadOS to fix a zero-day flaw in WebKit, the browser-rendering engine underlying Safari and other browsers that run on Apple mobile devices.
- First malware found for M1 Macs — what to do now
- The best Mac antivirus software for your Apple desktop
- Plus: Massive iPhone 13 leak reveals everything Apple doesn't want you to know
The Apple security advisory dryly noted that "Apple is aware of a report that this issue may have been actively exploited," i.e. is already being used to hack iPhones and iPads. Updating the device to iOS 14.4.2 and iPadOS 14.4.2 fixes the problem.
"Zero-day" security flaws are those that are used in attacks before software developers become aware of the flaws — the developers have "zero days" to fix the flaws.
How to update your iPhone or iPad
Fortunately, updating an iPhone or iPad is a cinch. In most cases, you'll just get a notification that an update is ready. Tap it to proceed.
You can also force a update by making sure your device is connected to the internet over a local Wi-Fi network, then going to Settings > General > Software Update and tapping Download and Install.
If there's no Wi-Fi available, you can tether your iDevice to a previously "trusted" computer using a USB cable. On Macs running macOS 10.15 Catalina or later, the phone should pop up in Finder. On Macs running macOS 10.14 Mojave or earlier, open iTunes, where the iPhone should appear.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Locate the iPhone's page in either Finder or iTunes, click General or Settings, then click Check for Update. If an update appears, then click Download and Update.
Very bad indeed
The flaw lets a malicious website or web page spark "universal cross-site scripting" in WebKit, says Apple.
That would be very bad indeed, as it means that ne'er-do-wells can embed code in websites that can redirect you to malicious websites or even steal information, such as passwords or credit-card numbers, from your browser.
This is the second emergency update for iPhones and iPads this month, following a patch earlier in March that fixed a different WebKit flaw.
Apple said this new issue "was addressed by improved management of object lifetimes," although we really can only guess at what that means.
Credit for finding the flaw was given to Clément Lecigne and Billy Leonard, both researchers in Google's Threat Analysis Group.
We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.