Install iOS 14.8 and other Apple updates asap to protect against zero-click Messages attacks

The latest round of Apple software updates brings fixes for vulnerabilities making possible recent zero-click attacks that bypassed Apple’s BlastDoor security in Messages. iOS 14.8 includes security fixes for two bugs that have been actively exploited in the wild. Do yourself a big favor and install the latest updates to close this particularly dangerous attack vector.


STORY HIGHLIGHTS:

  • iOS 14.8 fixes a zero-day vulnerability used to run malicious code
  • The dangerous vulnerability may have been exploited in Messages
  • Relevant updates for iPad, Apple Watch and Mac are available, too
  • Fixes for older Mac models are available separately
  • All users are wholeheartedly recommended to update asap

iPhone XS held in a young person's hand with a work desk seen blurred in the background

Install iOS 14.8 security fixes as soon as possible

Apple on September 13, 2021, released iOS 14.8, iPadOS 14.8, watchOS 7.6.2 and macOS Big Sur 11.6 to the general public. As it turns out, these iPhone, iPad, Apple Watch and Mac software updates include a critical fix for a dangerous vulnerability that hackers may and most likely have already used already to target unsuspecting users.

Two bugs have been discovered in Apple’s software. One is present in the CoreGraphics subsystem that provides lightweight 2D rendering while the other plagues the WebKit layout engine, used by the Safari browser and other system features that want to render web content.

The CoreGraphics issue affects Apple Watch Series 3, iPhone 6s, iPad Air 2, iPad 5, iPad mini 4 and later, as well as the seventh-generation iPod touch and all Mac computers that run macOS Big Sur. The WebKit bug affects all the same devices except Apple Watch.

The CoreGraphics bug, discovered by The Citizen Lab (CVE-2021-30860), could result in arbitrary code execution when processing a maliciously crafted PDF document. This has been fixed by addressing an integer overflow with improved input validation, Apple says.

An August 2021 post on The Citizen Lab blog claims the vulnerability has been used to bypass Apple’s Blastdoor protections in Messages. It was reported earlier that this zero-click attack was used in hacking into Bahraini activists’ iPhones using NSO Group’s Pegasus spyware.

The same vulnerability is present in WebKit and has been patched with improved memory management. The WebKit issue is credited to an anonymous researcher (CVE-2021-30858).

Security contents of iOS 14.8, iPadOS 14.8, watchOS 7.6.2 and macOS Big Sur 11.6

Apple provided these support documents listing the security contents of the updates:

A dedicated “Security Update 2021-005 Catalina” download is available for Catalina-powered Macs to patch the CoreGraphics issue. Similarly, WebKit patches for macOS Catalina and macOS Mojave are provided as part of the Safari 14.1.2 update.

Both patches are available through the Software Update feature on those computers.

Should I update to iOS 14.8?

In a word, yes — and without hesitation.

We most definitely recommend updating all your iPhones to iOS 14.8 as soon as possible. And your iPad, Apple Watch and Mac devices as well because the respective iPadOS 14.8, watchOS 7.6.2 and macOS Big Sur 11.6 updates for those devices are now also available.

If you don’t update, your devices will remain vulnerable to this particularly dangerous attack.

How to update to iOS 14.8, iPadOS 14.8, watchOS 7.6.2 and macOS Big Sur 11.6

To update the operating system software powering your iPhone, iPad or iPod touch, go to Settings → General → Software Update. Be sure that your device is plugged into power and connected to the internet over Wi-Fi.

To update the macOS software on your Mac computers, launch the System Preferences app and choose “Software Update” from the System Preferences window, then follow onscreen instructions to install the latest updates.

To update the watchOS software on your Apple Watch, choose My Watch → General → Software Update in the companion Watch app on your paired iPhone. You’ll see a message if an update is available. If asked for your iPhone passcode or Apple Watch passcode, enter it.

Make sure that that your Apple Watch is at least 50 percent charged and its paired iPhone is connected to the internet via Wi-Fi. You’ll also need to keep both the phone and the watch close to each other so that they’re in Bluetooth range.

Be advised that a watchOS update could take anywhere from several minutes to an hour or more to complete. That being said, however, power users may want to take advantage of a little-known Bluetooth trick that speeds up Apple Watch software updates dramatically.