Apple's update to iOS 14.8 and iPadOS 14.8 introduce fixes to two vulnerabilities, including one that enabled attacks that worked around Apple's Blastdoor protective system.
Monday's release of iOS 14.8 and iPadOS 14.8 to the public was unexpected and lacked any betas ahead of being issued. Apple described the patches as providing "important security updates and is recommended for all users."
Shortly after the release, Apple published the security content changes included in iOS 14.8 and iPadOS 14.8. The two fixes related to the CoreGraphics and WebKit sections of both operating systems.
Both updates state the impact of the vulnerabilities was that the processing of a "maliciously crafted" PDF file or web content "may lead to arbitrary code execution." Apple "is aware of a report that this issue may have been actively exploited."
The CoreGraphics patch is listed as issue CVE-2021-30860, reported by The Citizen Lab, while "an anonymous researcher" reported CVE-2021-30858, affecting WebKit.
The updates fix issues that allowed an attacker to bypass Apple's BlastDoor security sandbox, a system used to stop malicious code execution in Messages.
Following initial reporting on the Pegasus hacking tool in July, a second report by Citizen Lab in August revealed the vulnerability in iMessage, which allowed Pegasus to be installed on a target iPhone. The hack and the use of Pegasus is believed to have been performed on devices owned by journalists and human rights activists.
Update: After the iOS 14.8 update went live, Citizen Lab published a report about a zero-click exploit leveraging the CVE-2021-30860 vulnerability. According to Citizen Lab, the exploit appears to have been developed by NSO Group and was discovered when it actively targeted the smartphone of at least one Saudi activist. The exploit, which targeted Apple's image rendering library, was used to distribute the Pegasus spyware on affected devices.