Apple has released new versions of iOS, iPadOS and watchOS and, if you have an iPhone, iPad or Apple Watch, the official advice is that you should update them sooner or later. iOS 14.4.2, iPadOS 14.42 and watchOS 7.3.3 fix an active vulnerability, says Apple, which it believes has already been exploited.
“The processing of maliciously crafted web content can lead to universal cross-site scripting,” says the company in its security report on the new software. “Apple is aware of a report that this problem may have been actively exploited.”
The solution, says Apple, was “improved management of object life”. The company was notified of the security breach by two members of the Google Threat Analysis Group, Clement Lecigne and Billy Leonard. This team works to identify possible security issues in popular software and has been responsible for identifying several of these issues on iOS and iPadOS so far.
In fact, one of these researchers – along with a colleague on the Microsoft Browser Vulnerability Research team – was responsible for discovering the problem that led Apple to launch iOS 14.4.1, iPadOS 14.4.1 and macOS 11.2.3 on earlier this month. This was designed to fix a WebKit vulnerability in Apple’s Safari browser engine. At the time, however, Apple did not report any known problems where the exploit had been exploited in the wild.
The recommendation today is that anyone with a potentially affected device should update their software as soon as possible. For iOS and iPadOS, this means iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later and iPod touch (7th generation). It also includes the latest generations of the Apple Watch.
You can download the new software on an iPhone or iPad by accessing the settings, selecting “General” and then choosing “Software Update”. The update is approximately 204 MB in size. To update an Apple Watch, you can use the Watch app on your iPhone. By default, Apple tries to install new watchOS versions – when configured to do so automatically – overnight, although you can nudge it to start the process manually as well.