Apple iPhone and iPad users, it's time for another iOS upgrade.

On Friday, March 26, Apple delivered an emergency update to its iOS and iPad OS to fix a zero-day flaw in WebKit, the browser rendering engine underlying Safari and other browsers running on Apple mobile devices.

Apple's security advisory grimly notes that "Apple is aware of reports that this issue may be actively exploited," meaning it is already being used to hack iPhones and iPads. Updating devices to iOS 14.4.2 and iPadOS 14.4.2 will fix this issue.

A "zero-day" security flaw is one that is used in an attack before the software developer is aware of the flaw and the developer has "zero days" to fix the flaw.

Fortunately, updating an iPhone or iPad is easy. Most of the time, you just get a notification that the update is ready. Tap it and proceed.

You can also force the update by making sure the device is connected to the Internet via a local Wi-Fi network, going to Settings > General > Software Update, and tapping Download and Install

If Wi-Fi is not available, you can use a USB cable to pre-tether your iDevice to a "trusted" computer. macOS 10.15 Catalina or later running on a Mac should cause the phone to pop up in the Finder. On a Mac running macOS 10.14 Mojave or earlier, open iTunes and the iPhone should appear.

Locate the iPhone page in either the Finder or iTunes, click on "General" or "Settings," then click on "Check for Updates. When the update appears, click "Download and Update."

The flaw causes malicious websites and web pages to spark "universal cross-site scripting" in WebKit, Apple says.

This is really bad because it means that a malicious person could embed code in a website that could redirect you to a malicious website or steal information such as passwords or credit card numbers from your browser.

This is the second emergency update for iPhone and iPad this month, following a patch in early March that fixed another WebKit flaw.

Apple states that this new problem was "addressed by improving object lifetime management," but one can only guess what that means.

Credit for discovering this flaw goes to Clément Lecigne and Billy Leonard, researchers in Google's Threat Analysis Group.