Apple has released iOS 14.4 and iPadOS 14.4, fixing three flaws that, according to the company, may have been actively exploited. These are CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871, which are all privilege escalation leading to remote code execution bugs.
There are no in-depth details in the release notes about these flaws because obviously, there’s still a large number of people who haven’t updated to iOS 14.4 yet, so giving away the details of how to exploit these vulnerabilities isn’t the standard practice. Also, the discovery was attributed to an “anonymous” researcher, so we’re not expecting to see a write-up on a blog out there soon.
Two of the vulnerabilities are in WebKit, which is Safari’s engine, while the other one is on the OS kernel. The first two were fixed by improving restrictions that addressed a “logic issue,” while the kernel flaw that relied upon a race condition was dealt with through improved locking. Due to the nature of the bugs, we would suggest that the attacker compromised the targets by alluring them to specially crafted websites, similar to what we’ve seen being deployed in the past against Uyghurs in China.
Having no actual details about the adversaries, the targets, the extent of the problem, and the exploitation process, all that we can say to you right now is to upgrade to iOS 14.4 immediately and forget about the rest.
Along with the fixes on the above issues, iOS 14.4 will bring the following fixes:
As for the new features and improvements, this is a minor release, so there aren’t many new things. Apple is introducing some tweaks to help the camera recognize smaller QR codes, added an option to classify Bluetooth device type in Settings for correct identification of headphones (for audio notifications), and added notifications for when the camera on the device cannot be verified as genuine.