Apple Patches Critical iOS Bugs; One Under Attack

Apple lovers who haven’t yet updated to iOS 15, you may want to pop into Settings to freshen up your iPhone now: Apple has released several critical security updates that might light a fire under your britches.

On Monday and Tuesday, Apple released iOS 14.8.1, iPadOS 14.8.1, watchOS 8.1 and tvOS 15.1, patching 24 CVEs in total.

Apple’s security page has all the details about the CVEs, which include multiple issues in iOS components that, if exploited, could lead to arbitrary code execution, sometimes with kernel privileges that would let an attacker get to the heart of the operating system.

Critical, Easily/Already Exploited Bug

In one case – a memory-corruption issue in IOMobileFrameBuffer for Apple TV – Apple said that it’s “aware of a report that this issue may have been actively exploited” – a “maybe” that researchers confirmed.

This one is particularly worrisome, given that researchers already found that the flaw is exploitable from the browser, making it “perfect for one-click & waterholing mobile attacks,” mobile security firm ZecOps said earlier this month.

> We can confirm that the recently patched iOS 15.0.2 vulnerability, CVE-2021-30883, is also accessible from the browser: perfect for 1-click & water-holing mobile attacks. This vulnerability is exploited in the wild. Update as soon as possible. <https://t.co/dhogxTM6pT&gt;
>
>
> — ZecOps – A Jamf Company (@ZecOps) October 12, 2021

In a watering-hole attack, a threat actor plants malware on websites that could attract a target, in hopes that somebody will eventually drop in and get infected.

Understandably, Apple keeps a lid on details that might help more attackers do damage. What we do know is that this bug could allow an application to execute arbitrary code with kernel privileges.

Malwarebyte Labs has a nice rundown on other security-related bugs that stand out in the two dozen CVEs Apple addressed this week.

Why Did Apple Let iOS 14 Users Stay Put?

Earlier this year, Apple announced that it was giving users a choice: They could update to iOS 15 as soon as it’s released, or they could stay on iOS 14 but still get important security updates until they’re ready to upgrade.

Why the choice? Some suggested it might have to do with an “urban legend” about Apple slowing down older phones on purpose in order to prod people into upgrading.

Maybe that’s just an oft-circulated conspiracy theory, but it’s rooted in legal comeuppance, at least with regards to battery life: Apple admitted to slowing down phones in 2017 as a way to prevent old batteries from randomly shutting devices off. In November of last year, the company was fined $113 million to settle an investigation into what was known as iPhone “batterygate.”

Check out our free upcoming live and on-demand online town halls– unique, dynamic discussions with cybersecurity experts and the Threatpost community.