Update your iPhone to iOS 14.6 now — Apple issues urgent security fix

iOS 14.5 review
(Image credit: Tom's Guide)

Apple yesterday (May 24) officially rolled out iOS 14.6 and macOS Big Sur 11.4 to its users in a wide-ranging update that spans new support for Apple Card Family, updates to AirTags and major fixes for a mind-boggling number of security issues — several of which teeter on the "very serious" side of things. 

iOS 14.5 arrived last month with a slew of high-profile features, which aimed to change how we use our phones. With iOS 14.6, you'd be quickly forgiven for losing track of Apple's updates, which seem endless at the moment. That said, you'll definitely want to get your smartphone updated to iOS 14.6 given the security issues  we've rounded up below.  

The real nitty-gritty of iOS 14.6 is in its plethora of security fixes that address a number of substantial vulnerabilities. These range from malicious audio files that can be exploited by bad actors to reveal sensitive personal info to glaring weaknesses in iOS' Core Services that provide an entry point for malware. 

Here's all you need to know about this latest round of security threats to macOS and iOS devices, and exactly why you need to get your iPhone, iPad and Mac updated as quickly as you can. 

How to update to iOS 14.6 now

To update your iPhone's software to iOS 14.6, head to Settings and select General. Next, tap Software Update. From here, you should be able to update to iOS 14.6. The download is approximately 577 MB, so it should not take that long over Wi-Fi. 

macOS Big Sur 11.4 security fixes

Apple counts 38 different flaws being fixed in iOS 14.6 and iPadOS 14.6, with some flaws having more than one Common Vulnerabilities and Exposures (CVE) reference number. 

Some of the same flaws are fixed in macOS Big Sur 11.4, which sees 58 flaws patched by Apple's count. (MacOS 10.15 Catalina and 10.14 Mojave got patches as well.)

Chief amongst the security issues facing macOS is a nasty strain of malware that secretly takes screenshots of users' Macs, making the need to get your system updated even more urgent. 

During research into the XCSSET malware, initially discovered back in August 2020, cybersecurity firm Jamf discovered that a macOS zero-day exploit (CVE-2021-30713) was used by XCSSET to bypass Apple's Transparency Consent and Control protections. 

Abbreviated to TCC, this feature sounds the virtual alarm when an app is behaving in a way that could threaten users' privacy like, say, taking photos or logging keystrokes. In sidestepping this protection, the XCSSET malware is able to circumvent the safeguards to users' privacy. 

"The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent," according to the Jamf researchers.

It's a pretty darn serious vulnerability, not least because it's one that could be exploited to gain unauthorized access to users' files, but because it can record video and audio direct from the victims' computers while hijacking other apps’ permissions.

The weakness has reportedly been patched in the latest version of macOS Big Sur 11.4, which was released on Monday (May 24). You can grab the latest macOS Big Sur update from the Mac App Store.

iOS 14.6: WebKit updates

Back in the limelight once again is our old friend, WebKit. WebKit is the engine behind Apple's Safari browser and is no stranger to bad press, having already been seriously scrutinized for security vulnerabilities earlier this year.

The vulnerabilities hinge on cross-site scripting attacks against iPhone users. Here, hackers can steal your internet cookies and sessions in Safari, effectively giving them an inroad for a full account hijacking. Bug hunters identified seven vulnerabilities in the browser engine, "including two that would allow arbitrary code execution," according to The Register

iPhones and iPad could be compromised by these malicious web pages to pinch details and sensitive info. Apple lists six fixes to WebKit in iOS 14.6 to prevent these attacks, plus to stop “maliciously crafted web content" for universal cross-site scripting.

Apple's watchOS and tvOS also received security updates to fix many of the same issues. 

Too little, too late?

Apple says that it is aware of reports that three macOS and tvOS zero-day vulnerabilities (CVEs 2021-30663, 30665 and 30713) "may have been actively exploited." In other words, those are "zero-day" flaws in that they're exploited by attackers before the defenders are able to deliver a fix. 

However, Apple stopped short of adding any further information on who may have exploited these security holes before the fixes were rolled out. None of these three flaws seem to appear in iOS, iPadOS, watchOS or in macOS Catalina or Mojave.

The operative statement in all this is to update your iPhone, iPad, Mac, Apple Watch and Apple TV right now. We've got a robust set of updating instructions in our how to upgrade to iOS 14.6 guide if you find yourself stuck. 

More: The best Mac antivirus software

TOPICS
Luke Wilson

Luke is a Trainee News Writer at T3 and contributor to Tom's Guide, having graduated from the DMU/Channel 4 Journalism School with an MA in Investigative Journalism. Before switching careers, he worked for Mindshare WW. When not indoors messing around with gadgets, he's a disc golf enthusiast, keen jogger, and fond of all things outdoors.

Read more
iPhone 16 Pro shown held in hand
Apple just patched its first zero-day flaw of the year — update your iPhone and Mac right now
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
Apple iPhone 16 held in the hand.
iOS 18.3.1 — update your iPhone right now to fix critical zero-day vulnerability
Windows
240 million Windows 10 users are vulnerable to six different hacker exploits — protect yourself now
MacBook Pro 16-inch 2021 sitting on a patio table
Critical macOS flaw puts your data and cameras at risk — update right now
Google Pixel 9 held in the hand.
Google just fixed a zero-day kernel flaw used by hackers and 47 other vulnerabilities — update your Android phone right now
Latest in iPhones
An image of an iPhone screen showing the Safari app icon in the center
I got tired of Safari revealing my web searches in iOS 18.4 — this setting fixes that
iPhone Flip Concept
iPhone Flip should have been released years ago — it's time Apple started taking risks again
iPhone 17 Air render
iPhone 17 Air — new survey could be bad news for Apple's super thin iPhone
Render of the alleged design of the iPhone 17 Pro
New iPhone 17 Pro dummy leak highlights redesigned camera and part glass body
Siri in iOS 18 on iPhone
Users complain that Siri can’t answer even the most basic questions — here’s what we know
iPhone 16 next to samsung galaxy watch 7 and bose wireless earbuds on a composite image
Apple's walled garden is crumbling — EU orders iOS to open up to third-party devices
Latest in News
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones