Update now! Apple patches bugs in iOS and iPadOS

On two consecutive days Apple has released a few important patches. iOS 14.8.1 comes just a month after releasing iOS 14.8 for those who didn’t want to update their iPhones to iOS 15. This update also came as a sort of surprise as it was not beta-tested beforehand.

Earlier this year Apple announced that users would have a choice between updating to iOS 15 as soon as it’s released, or staying on iOS 14 but still receiving important security updates.

Now the differences are starting to show. As you can see in the table below, some patches are specific for 14.8.1 and some are specific for 15.1, while many are shared between them. In total 24 CVEs were covered.

Version15.114.8.1
Release date25-Oct-2126-Oct-21
CVE-2021-30907CVE-2021-30907
CVE-2021-30917CVE-2021-30917
CVE-2021-30903CVE-2021-30903
CVE-2021-30905————
CVE-2021-30919CVE-2021-30919
CVE-2021-30881————
CVE-2021-30900CVE-2021-30900
CVE-2021-30914————
CVE-2021-30906————
CVE-2021-30894————
CVE-2021-30886————
CVE-2021-30909CVE-2021-30909
CVE-2021-30916CVE-2021-30916
CVE-2021-30910————
CVE-2021-30911————
CVE-2021-30875————
CVE-2021-30915————
CVE-2021-30902CVE-2021-30902
CVE-2021-30887————
CVE-2021-30888CVE-2021-30888
CVE-2021-30889————
CVE-2021-30890————
————CVE-2021-30883
————CVE-2021-30918

The ones that stood out

Apple is, for understandable reasons, always a bit secretive about what was fixed, but from what we were able to figure out, these are the most worrying ones by type of vulnerability.

Elevation of privileges

CVE-2021-30906: Due to a vulnerability in the iCloud component of watchOS, a local attacker may be able to elevate their privileges. A simple authentication is needed for exploitation.

CVE-2021-30907: Due to a vulnerability in the Audio component of watchOS, a malicious application may be able to elevate privileges. An attack has to be approached locally. A single authentication is needed for exploitation.

Arbitrary code execution

CVE-2021-30881: Due to a vulnerability in the FileProvider component of watchOS, unpacking a maliciously crafted archive may lead to arbitrary code execution. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction.

CVE-2021-30883: Due to a vulnerability in the IOMobileFrameBuffer component of  Apple tvOS, an application may be able to execute arbitrary code with kernel privileges. This issue may have been actively exploited. As previously discussed here.

CVE-2021-30886: Due to a vulnerability in the kernel component of Apple tvOS (Digital Media Player), an application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. A single authentication is required for exploitation.

CVE-2021-30889: Due to a vulnerability in the WebKit component of Apple tvOS, processing maliciously crafted web content may lead to arbitrary code execution. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. It demands that the victim is doing some kind of user interaction.

CVE-2021-30894: Due to a vulnerability in the Image Processing component of the Smartphone OS, an application may be able to execute arbitrary code with kernel privileges. The attack needs to be approached locally. The requirement for exploitation is authentication.

CVE-2021-30900: Due to a vulnerability in the GPU Drivers component of the Smartphone OS, a malicious application may be able to execute arbitrary code with kernel privileges. An attack has to be approached locally. Authentication is required for exploitation.

CVE-2021-30902: Due to a vulnerability in the Voice Control component of the Smartphone OS, a local attacker may be able to cause unexpected application termination or arbitrary code execution. Required for exploitation is a simple authentication.

CVE-2021-30903: Due to a vulnerability in the Continuity Camera component of the Smartphone OS, a local attacker may be able to cause unexpected application termination or arbitrary code execution. The requirement for exploitation is a simple authentication.

CVE-2021-30909: A vulnerability was found in the kernel component of Apple macOS up to 12.0. An application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. The successful exploitation requires a simple authentication.

CVE-2021-30914: Due to a vulnerability in the GPU Drivers component of the Smartphone OS, an application may be able to execute arbitrary code with kernel privileges. Local access is required to approach this attack. A single authentication is necessary for exploitation.

CVE-2021-30916: Due to a vulnerability in the kernel component of the Smartphone OS, a malicious application may be able to execute arbitrary code with kernel privileges. Attacking locally is a requirement. The successful exploitation needs authentication.

CVE-2021-30917: Due to a vulnerability in the ColorSync component of watchOS, processing a maliciously crafted image may lead to arbitrary code execution. The attack may be launched remotely. No form of authentication is required for exploitation. Successful exploitation requires user interaction by the victim.

CVE-2021-30919: Due to a vulnerability in the CoreGraphics component of the Smartphone OS, processing a maliciously crafted PDF may lead to arbitrary code execution. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. It demands that the victim is doing some kind of user interaction.

Mitigation

Apple advises users to update to iOS 15.1 and iPadOS 15.1 or iOS 14.8.1 and iPadOS 14.8.1 which can be done through the automatic update function or iTunes.

Stay safe, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.