Skip to main content

Apple fixes dozens of security flaws with iOS 15.4 — update your iPhone now

iOS 15.4 update running on iPhone 12 Pro Max
(Image credit: Future)

Update (May 18): In more recent iPhone security news, researchers have found it's possible to hack an iPhone even if it's powered off.

Apple released security patches for just about everything it makes yesterday (March 14), so if you use an iPhone, iPad, Mac, Apple TV, Apple Watch or even iTunes for Windows, it's time to get updating.

First, the good news: None of the 10 different update bundles appears to patch zero-day flaws. In other words, none of these vulnerabilities are being exploited by hackers in the wild — at least not yet. It's likely only a matter of days before that starts to happen, so you'll want to update your iDevices now.

The update bundle for iOS and iPad OS (opens in new tab) contains fixes for 39 different security flaws and bumps up the version numbers for both OS's to 15.4. We've also got an overview of iOS 15.4's new features.

Running Software Update (found buried in System Preferences in the latest version of macOS) will install all the Mac updates you need. On an iPhone or iPad, go to Settings > General > Software Update. 

To update Apple Watch, make sure your iPhone is connected to Wi-Fi, then go to Apple Watch > My Watch > General > Software Update on your iPhone. To update Apple TV, go to Settings > System > Software Updates > Update Software.

Apple says that iTunes for Windows will automatically update itself if you downloaded the application from the Microsoft Store, or if you have automatic updates enabled within the app. Otherwise, open the iTunes app and go to Help > Check for Updates.

The dirty details about these security flaws

Several of the flaws allow malicious websites, images or PDFs to lead to remote code execution, cross-site scripting (both forms of remote hacking) or leaking of sensitive information, which you definitely want fixed ASAP. Others let apps already installed on an iPhone or iPad do more than they should, or let a person on a local network do so.

Fixes for some of the same web-based flaws are included in the update bundles for macOS Monterey (opens in new tab), Big Sur (opens in new tab) and Catalina (opens in new tab), which contain 60, 22, and 18 patches, respectively.

One flaw that seems to be unique to Monterey lets a malicious application gain root privileges, a level of system control that not even macOS users are permitted to have. That's about as serious a flaw as you can get. 

Other update bundles are available for Apple TV (opens in new tab), Apple Watch (opens in new tab), iTunes for Windows (opens in new tab), GarageBand (opens in new tab), Logic Pro X (opens in new tab) and XCode (opens in new tab). The iTunes one fixes four flaws related to handling of "maliciously crafted" images or web content, all of which are shared with iOS/iPadOS, watchOS, tvOS and macOS Monterey.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.