Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

iOS 14.8, iPadOS 14.8 tighten security, close off 'Blastdoor' attacks

Last updated

Apple's update to iOS 14.8 and iPadOS 14.8 introduce fixes to two vulnerabilities, including one that enabled attacks that worked around Apple's Blastdoor protective system.

Monday's release of iOS 14.8 and iPadOS 14.8 to the public was unexpected and lacked any betas ahead of being issued. Apple described the patches as providing "important security updates and is recommended for all users."

Shortly after the release, Apple published the security content changes included in iOS 14.8 and iPadOS 14.8. The two fixes related to the CoreGraphics and WebKit sections of both operating systems.

Both updates state the impact of the vulnerabilities was that the processing of a "maliciously crafted" PDF file or web content "may lead to arbitrary code execution." Apple "is aware of a report that this issue may have been actively exploited."

The CoreGraphics patch is listed as issue CVE-2021-30860, reported by The Citizen Lab, while "an anonymous researcher" reported CVE-2021-30858, affecting WebKit.

The updates fix issues that allowed an attacker to bypass Apple's BlastDoor security sandbox, a system used to stop malicious code execution in Messages.

Following initial reporting on the Pegasus hacking tool in July, a second report by Citizen Lab in August revealed the vulnerability in iMessage, which allowed Pegasus to be installed on a target iPhone. The hack and the use of Pegasus is believed to have been performed on devices owned by journalists and human rights activists.

Update: After the iOS 14.8 update went live, Citizen Lab published a report about a zero-click exploit leveraging the CVE-2021-30860 vulnerability. According to Citizen Lab, the exploit appears to have been developed by NSO Group and was discovered when it actively targeted the smartphone of at least one Saudi activist. The exploit, which targeted Apple's image rendering library, was used to distribute the Pegasus spyware on affected devices.



15 Comments

elijahg 18 Years · 2842 comments

Come on Apple. If there is a hole in an app that's bad enough, but having an exploitable hole in an app that allows a further exploit in that app's sandbox, enabling an attacker to escape the sandbox points to some very shoddy code practises. Someone needs to take a good hard look at their unit tests and make them much more robust. Sanitising input is a solved problem, to have repeated issues as a result of specially crafted data is really quite atrocious.

lkrupp 19 Years · 10521 comments

elijahg said:
Come on Apple. If there is a hole in an app that's bad enough, but having an exploitable hole in an app that allows a further exploit in that app's sandbox, enabling an attacker to escape the sandbox points to some very shoddy code practises. Someone needs to take a good hard look at their unit tests and make them much more robust. Sanitising input is a solved problem, to have repeated issues as a result of specially crafted data is really quite atrocious.

Nothing burger from the peanut gallery. You can’t spell and apparently can’t turn on a spell checker but you claim to be some software coding expert? 

JFC_PA 7 Years · 947 comments

Fast and easy update. Thanks. 

Though I’m unlikely to be a state agency target. 

dope_ahmine 4 Years · 264 comments

lkrupp said:
elijahg said:
Come on Apple. If there is a hole in an app that's bad enough, but having an exploitable hole in an app that allows a further exploit in that app's sandbox, enabling an attacker to escape the sandbox points to some very shoddy code practises. Someone needs to take a good hard look at their unit tests and make them much more robust. Sanitising input is a solved problem, to have repeated issues as a result of specially crafted data is really quite atrocious.
Nothing burger from the peanut gallery. You can’t spell and apparently can’t turn on a spell checker but you claim to be some software coding expert? 

Actually, developers often switch off all text fiddling features.