iPhones under attack via zero-day flaw — what to do now

News
By published

Browser flaw seems to be under active exploitation

ios 14
(Image credit: Tom's Guide)

Apple iPhone and iPad users, it's time to install another iOS upgrade. 

Apple on Friday (March 26) pushed out emergency updates for iOS and iPadOS to fix a zero-day flaw in WebKit, the browser-rendering engine underlying Safari and other browsers that run on Apple mobile devices.

The Apple security advisory dryly noted that "Apple is aware of a report that this issue may have been actively exploited," i.e. is already being used to hack iPhones and iPads. Updating the device to iOS 14.4.2 and iPadOS 14.4.2 fixes the problem.

"Zero-day" security flaws are those that are used in attacks before software developers become aware of the flaws — the developers have "zero days" to fix the flaws.

How to update your iPhone or iPad

Fortunately, updating an iPhone or iPad is a cinch. In most cases, you'll just get a notification that an update is ready. Tap it to proceed. 

You can also force a update by making sure your device is connected to the internet over a local Wi-Fi network, then going to Settings > General > Software Update and tapping Download and Install. 

If there's no Wi-Fi available, you can tether your iDevice to a previously "trusted" computer using a USB cable. On Macs running macOS 10.15 Catalina or later, the phone should pop up in Finder. On Macs running macOS 10.14 Mojave or earlier, open iTunes, where the iPhone should appear.

Locate the iPhone's page in either Finder or iTunes, click General or Settings, then click Check for Update. If an update appears, then click Download and Update.

Very bad indeed

The flaw lets a malicious website or web page spark "universal cross-site scripting" in WebKit, says Apple. 

That would be very bad indeed, as it means that ne'er-do-wells can embed code in websites that can redirect you to malicious websites or even steal information, such as passwords or credit-card numbers, from your browser.

This is the second emergency update for iPhones and iPads this month, following a patch earlier in March that fixed a different WebKit flaw.

Apple said this new issue "was addressed by improved management of object lifetimes," although we really can only guess at what that means.

Credit for finding the flaw was given to Clément Lecigne and Billy Leonard, both researchers in Google's Threat Analysis Group.

Tom's Guide needs you!

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window <<

See more Phones News
TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Read more
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
Apple iPhone 16 held in the hand.
iOS 18.3.1 — update your iPhone right now to fix critical zero-day vulnerability
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
MacBook Pro 16-inch 2021 sitting on a patio table
Critical macOS flaw puts your data and cameras at risk — update right now
A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.
Mac and iPhone users beware — Apple processors can be exploited to steal sensitive information
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Latest in iPhones
WWDC logo on yellow background
WWDC 2025 date set for June — iOS 19, Apple Intelligence and more expected to appear
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Apple maps logo on iPhone screen
I avoided Apple Maps for trip planning — but these iOS 18 features are changing my mind
New emojis with iOS 18.4 beta release.
iOS 18.4 beta brings 8 new emoji to your iPhone — here's all the new options
An image of an iPhone screen showing the Safari app icon in the center
I got tired of Safari revealing my web searches in iOS 18.4 — this setting fixes that
iPhone Flip Concept
Foldable iPhone delays — there’s a bigger problem going on at Apple
Latest in News
WWDC logo on yellow background
WWDC 2025 date set for June — iOS 19, Apple Intelligence and more expected to appear
Motorola Razr Plus 2024 cover display
Motorola Razr Plus (2025) leaked specs hint at bigger upgrades — here's what we know
(L-R) Yura Borisov as Igor, Mark Eydelshteyn as Vanya, Karren Karagulian as Toros and Mikey Madison as Anora &quot;Ani&quot; Mikheeva in &quot;Anora&quot;
Hulu top 10 movies — here's what you need to stream right now
Nintendo Switch 2
Nintendo Switch 2 tipster may have just leaked release month and launch plans
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in &quot;High Rise&quot; now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
More about iphones
iPhone 16 with Apple Intelligence logo for iOS 18.1

iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Apple maps logo on iPhone screen

I avoided Apple Maps for trip planning — but these iOS 18 features are changing my mind
WWDC logo on yellow background

WWDC 2025 date set for June — iOS 19, Apple Intelligence and more expected to appear
See more latest
Most Popular
WWDC logo on yellow background
WWDC 2025 date set for June — iOS 19, Apple Intelligence and more expected to appear
Motorola Razr Plus 2024 cover display
Motorola Razr Plus (2025) leaked specs hint at bigger upgrades — here's what we know
(L-R) Yura Borisov as Igor, Mark Eydelshteyn as Vanya, Karren Karagulian as Toros and Mikey Madison as Anora &quot;Ani&quot; Mikheeva in &quot;Anora&quot;
Hulu top 10 movies — here's what you need to stream right now
&quot;The &quot;Alone Australia&quot; season 3 line-up: (Left to right) Eva, Matt, Corinne, Shay, Karla, Ben, Yonke, Tom, Muzza, Ceilidh
How to watch 'Alone Australia' season 3 online — stream survival reality show from anywhere
Nintendo Switch 2
Nintendo Switch 2 tipster may have just leaked release month and launch plans
COLUMBUS, OHIO - JANUARY 26: Amber Glenn skates in the Women&#039;s Free Skate during the U.S. Figure Skating Championships at Nationwide Arena on January 26, 2024 in Columbus, Ohio. (Photo by Matthew Stockman/Getty Images)
How to watch World Figure Skating Championships 2025: live streaming, schedule, what TV channel?
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in &quot;High Rise&quot; now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone