A few hours ago, Apple somewhat surprisingly but not entirely unexpectedly made iOS 14.8, iPadOS 14.8, watchOS 7.6.2 and macOS Big Sur 11.6 available to all users worldwide. The updates contain important security-related improvements. Particularly dangerous vulnerabilities have also been closed.
Apple now has a complete support document published, which lists the new features in iOS 14.8, iPadOS 14.8, watchOS 7.6.2 and macOS Big Sur 11.6. According to the Cupertino-based company, the updates are intended to close security vulnerabilities that have already been exploited in the wild.
Security: iOS 14.8 closes vulnerabilities
Above all fix iOS 14.8 and iPadOS 14.8 have security vulnerabilities in CoreGraphics and WebKit that may have been actively exploited. For example, the CoreGraphics vulnerability discovered and reported by The Citizen Lab has been closed. This enabled a zero-click attack on the iPhone that was able to overcome Apple's Blastdoor protection. The vulnerability reported by The Citizen Lab is suspected to have been used to attack Bahraini activists whose iPhones were successfully hacked using NSO Group's Pegasus spyware. Apple's security document states:
CoreGraphics
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing a maliciously crafted PDF file may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
- Description: An integer overflow was fixed through improved input validation.
- CVE-2021-30860: The Citizen Lab
WebKit
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may be actively exploited.
- Description: A use-after-free issue was resolved through improved memory management.
- CVE-2021-30858: An anonymous researcher
Since these are dangerous vulnerabilities, the updates are strongly recommended. They can be downloaded as usual via the Settings app in the "Software update" section. (Photo by Your_photo / Bigstockphoto)
