Apple has published a full support document detailing what’s new in iOS 14.8, watchOS 7.6.2, iPadOS 14.8, and macOS Big Sur 11.6. Apple says that the updates address security vulnerabilities that “may have been actively exploited in the wild.”
Update: Citizen Lab has published a new report today with more details on the vulnerabilities. The gist of it? Update all of your devices ASAP.
In a statement, Ivan Krstić, head of Apple Security Engineering and Architecture, said:
“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
Most notably, Apple says that iOS 14.8 and iPadOS 14.8 both address CoreGraphics and WebKit vulnerabilities that may have been actively exploited. The CoreGraphics vulnerability was reported by The Citizen Lab, which discovered a zero-click iPhone attack that defeated Apple’s Blastdoor protections back in August.
The vulnerability reported by The Citizen Lab is believed to have been used to target Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware.
- New Pegasus zero-click iPhone attack defeats Apple’s Blastdoor protections
In a support document posted today, Apple outlines the vulnerability and its fix:
There is also a fix for a WebKit vulnerability:
CoreGraphics
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: An integer overflow was addressed with improved input validation.
CVE-2021-30860: The Citizen Lab
WebKit
The full details on today’s security updates can be found at the following links:
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30858: an anonymous researcher
- Security Update 2021-005 Catalina
- macOS Big Sur 11.6
- watchOS 7.6.2
- iOS 14.8 and iPadOS 14.8
iOS 14.8 is out, and it’s security fixes, including one that was reported by @citizenlab — which said in August that it found zero-click NSO Group attacks on Bahraini activists using current iPhones https://t.co/3DxeKVtuLi pic.twitter.com/HVG6JbvyeE
— kif (@kifleswing) September 13, 2021
