iOS 14.2 and iPadOS 14.2 land with 24 fixes, three of which concern zero-day flaws. Two of those flaws are on the kernel, leading to privilege and escalation and remote code execution. These key discoveries come from researchers who may soon stop reporting them to Apple. iOS 14.2 and iPadOS 14.2 are out, and they are addressing a rich set of flaws on a wide range of components. Among them, there are three actively exploited zero-day flaws, which were discovered and reported to Apple by Google’s ‘Project Zero’ researchers.
Zero-days are vulnerabilities that have been discovered and exploited by hackers but not by anyone in the white-hat research community. Thus, they are like “secret passes” where nasty stuff comes and goes until the vendor figures them out and patches them.
Security updates are always crucial, but applying them immediately should be an absolute priority when they fix zero-days. Thus, you should backup your important files and download iOS 14.2 right away.
In total, the iOS 14.2 and iPadOS 14.2 come with 24 fixes, many of which were reported by the Cisco Talos team, Apple’s own researchers, and even anonymous tipsters. This underlines the importance of having an active researcher community around your product and why it’s risky to set restrictive rules that make the lives and work of those researchers harder.
If the Project Zero team never reported these three flaws to Apple, many more iOS users could have fallen victims to attacks, and the prestige of Apple’s system regarding security and privacy would suffer dents from negative publicity and loss of trust.
This discussion appeared on TechNadu.