If you’re an iPad or iPhone user, stop what you’re doing and read this. This month, Apple released iOS 14.5.1 and iPadOS 14.5.1 to fix two security issues actively exploited in the wild by hackers. If you don’t want to be a victim, you need to update your iOS now.
The Two bugs are related to WebKit. WebKit is a browser engine developed by Apple and primarily used in its Safari web browser and all iOS web browsers.
Threat actors are exploiting the vulnerabilities using maliciously crafted web content that may lead to arbitrary code execution.
Affected devices are iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad Mini 4 and later, and iPod touch (7th generation).
It’s essential to backup your data before installing the update. Once you’re done, open Settings > General > Software Update > Download and Install.
Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group, said that “recent zero-day vulnerabilities in Apple’s iOS are a stark reminder of the complexity of software security.”
Knudsen added that “software is made of many smaller pieces, which are often open source components. In the case of iOS, the vulnerable component was WebKit. Most software products have hundreds, sometimes thousands, of open source components. The security of the whole product is only as good as the security of the components, so it is critically important to understand which components have been used and keep them up to date as vulnerabilities bubble to the surface. “
Knudsen also stressed the fact that handling arbitrary input is always a challenge.” While developer training and awareness can help, the very best defense against unexpected and badly formed input is fuzzing during product development. Fuzzing is an automated testing tool that delivers thousands or millions of test cases to a piece of software or software components. When fuzzing causes a failure, the test case can be reproduced so that developers can fix the vulnerability. Incorporated as part of a secure development life cycle, fuzzing helps teams squash zero-day vulnerabilities before the software is distributed to customers.” He added.