Apple has published a full support document detailing what’s new in iOS 14.8, watchOS 7.6.2, iPadOS 14.8, and macOS Big Sur 11.6. Apple says that the updates address security vulnerabilities that “may have been actively exploited in the wild.”
Most notably, Apple says that iOS 14.8 and iPadOS 14.8 both address CoreGraphics and WebKit vulnerabilities that may have been actively exploited. The CoreGraphics vulnerability was reported by The Citizen Lab, which discovered a zero-click iPhone attack that defeated Apple’s Blastdoor protections back in August.
The vulnerability reported by The Citizen Lab is believed to have been used to target Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware.
In a support document posted today, Apple outlines the vulnerability and its fix:
CoreGraphics
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: An integer overflow was addressed with improved input validation.
CVE-2021-30860: The Citizen Lab
There is also a fix for a WebKit vulnerability:
WebKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Description: A use after free issue was addressed with improved memory management.
CVE-2021-30858: an anonymous researcher
The full details on today’s security updates can be found at the following links:
FTC: We use income earning auto affiliate links. More.