Icon: enlarge
Freshly installed: iOS 14.4.
on an iPhone 12 Pro
Photo: Matthias Kremp / DER SPIEGEL
Security researchers repeatedly emphasize the importance of installing new updates on PCs and smartphones.
In addition to new functions and improvements, the updates often also include so-called patches that close newly discovered weaknesses in software and operating systems.
Often the manufacturers indicate in their "instruction leaflets" for the updates that they do not know whether the security gaps in question have been actively exploited.
Not so with the update to iOS 14.4 and iPad OS 14.4, which Apple released on the night of January 27th.
Deviating from the usual procedure, the company points out in the security instructions for the update that one is aware of a report according to which the weaknesses could have been actively exploited.
Specifically, there are three problems.
One of them enabled apps to bypass the protection mechanisms of iOS and iPadOS and to assign higher rights to themselves.
So manipulated apps could access data that should actually remain hidden from them.
Do not wait for the automatic update
Two other vulnerabilities have been discovered in Webkit, the software that is the basis of all web browsers for iPhones and iPads.
According to Apple, an attacker can exploit the vulnerabilities to remotely execute malicious code on the affected device.
"A security hole couldn't be much more problematic," says security expert Tim Berghoff from G Data.
Berghoff comments on the approach of the iPhone manufacturer that "Apple itself warns of actively exploited security problems" "absolutely seldom".
With the so-called kernel of the operating system and Webkit, the vulnerabilities affect "two highly critical components of the operating system" in his opinion.
In the gray market for security vulnerabilities, millions of dollars would be paid for such exploits.
The expert advises: "So users shouldn't wait for the automatic updates, but take action themselves immediately", i.e. start the update manually.
The corresponding function can be found
in the
settings
of iPhones and iPads under
General / Software update
.
The system recognizes third-party cameras
Apple documents on a website which new options and functions iOS 14.4 brings along with the patches for the three security holes.
The possibility of classifying Bluetooth devices and notifying the system as to whether a product coupled via Bluetooth is, for example, headphones, loudspeakers, a hearing aid or a car's stereo system, is particularly interesting.
With this classification, Apple wants to improve the playback of audio messages on the various devices.
On the other hand, the system should be able to better assess whether one has been listening to music through headphones for too long and too loudly.
This setting option is not available for AirPods and Beats headphones because these devices are known to the system.
In addition, the system should now issue a message if it cannot identify the camera in Series 12 iPhones as the original camera.
Anyone who has a defective camera replaced by a camera that does not come from Apple in a workshop that is not authorized by Apple will in future be annoyed by corresponding information.
The function of such a camera module should not be restricted by this, at least there is no evidence from Apple.
In addition to iOS 14.4.
and iPadOS 14.4 are also updates to tvOS 14.4 during the night.
for the set-top box Apple TV and watchOS 7.3 for the AppleWatch.
Icon: The mirror
