Apple has released iOS 14.4 which contains fixes for two critical security vulnerabilities which they admit may have been actively exploited in the wild.
The first flaw (CVE-2021-1871, CVE-2021-1870) in iOS and iPadOS is a WebKit vulnerability which could be exploited by a malicious webpage in the Safari browser to execute arbitrary code on the device.
The second (CVE-2021-1782) is a kernel level race condition which could be exploited by malicious code (possible installed by the first flaw) to elevate privilege and so gain control of the device.
Attackers gain control of devices by combining several security vulnerabilities in sequence – known as chaining. Any one vulnerability on its own may not appear significant but the cumulative effect of the chained vulnerabilities can be enough to grant the attacker access to your network or device. This is why it is important to apply all security patches promptly each month as they become available. Any one patch could be the critical ‘break in the chain’ that prevents a successful attack against your business.
The new versions of iOS and iPadOS were released by Apple on 26 January 2021 and can be installed on supported devices (iPhone 6s and later and iPad Air 2 and later) for free from the Settings app on the device.