You know that age-old advice of waiting before you update a device, just in case? Ignore that. Update your iPad right now. Update your Apple Watch right now. Update your iPhone right now. Don’t even finish reading this article; go update your stuff, then come back. Apple just patched a big problem.
Apple started rolling out iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3 today, and none of those updates add new features. Instead, the update plugs a major security hole that affects iPads, iPhones, and Apple Watches.
Unfortunately, the vulnerability Apple patched is a zero-day, which means some bad actors have already exploited it. Clement Lecigne of Google Threat Analysis Group and Billy Leonard of Google Threat Analysis Group first reported it under CVE-2021-1879. Apple admits in a support page that it’s aware of at least one report that “this issue may have been actively exploited.”
The problem stems from the Webkit browser engine. It allows bad actors to launch universal cross-site scripting attacks by tricking users into visiting a maliciously crafted web page or other web content. A cross-site scripting attack would let hackers obtain information from other web pages you have open on your iPad, iPhone, or Apple Watch. If you think that through, you can imagine how bad that could be.
With the update, you’re safe (though you should still use caution when visiting new websites), so go update your stuff now. This is not one you want to put off. You can get the updates going now by performing a “check for updates” on each of your devices.
via MacRumors