Skip to main content

Apple says iOS 14.8 patches iPhone attack that defeated Blastdoor protections

Apple has published a full support document detailing what’s new in iOS 14.8, watchOS 7.6.2, iPadOS 14.8, and macOS Big Sur 11.6. Apple says that the updates address security vulnerabilities that “may have been actively exploited in the wild.”

Update: Citizen Lab has published a new report today with more details on the vulnerabilities. The gist of it? Update all of your devices ASAP.

In a statement, Ivan Krstić, head of Apple Security Engineering and Architecture, said:

“After identifying the vulnerability used by this exploit for iMessage, Apple rapidly developed and deployed a fix in iOS 14.8 to protect our users. We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Most notably, Apple says that iOS 14.8 and iPadOS 14.8 both address CoreGraphics and WebKit vulnerabilities that may have been actively exploited. The CoreGraphics vulnerability was reported by The Citizen Lab, which discovered a zero-click iPhone attack that defeated Apple’s Blastdoor protections back in August.

The vulnerability reported by The Citizen Lab is believed to have been used to target Bahraini activists whose iPhones were successfully hacked with NSO Group’s Pegasus spyware.

In a support document posted today, Apple outlines the vulnerability and its fix:

CoreGraphics

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An integer overflow was addressed with improved input validation.

CVE-2021-30860: The Citizen Lab

There is also a fix for a WebKit vulnerability:

WebKit

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

CVE-2021-30858: an anonymous researcher

The full details on today’s security updates can be found at the following links:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Chance Miller Chance Miller

Chance is the editor-in-chief of 9to5Mac, overseeing the entire site’s operations. He also hosts the 9to5Mac Daily and 9to5Mac Happy Hour podcasts.

You can send tips, questions, and typos to chance@9to5mac.com.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications