Earlier this week, Apple released iOS 14.7 with several small enhancements. That oddly wasn’t accompanied by a corresponding iPadOS 14.7 release, likely because Apple wanted to get support for its new MagSafe Battery Pack out as quickly as possible. But now it appears that Apple has caught up with the rest of its point releases for the iPad and Mac — and it’s also published a long list of security holes that have been fixed in the latest versions.
In fact, the list of security fixes in iOS 14.7 et al is longer and arguably more significant than the features that these updates brought to the table, and while there’s no evidence that any of them have (yet) been exploited, it makes a compelling case for updating your iPhone, iPad, or Mac as soon as possible.
Apple lists over 30 security holes that are fixed in iOS/iPadOS 14.7, plus another 35 in macOS Big Sur 11.5.
Older macOS versions haven’t been left out of the party either — security updates are also available for macOS Catalina and Mojave, fixing 20+ security vulnerabilities in each of those platforms.
The issues are quite wide-ranging as well, encompassing WebKit, Find My, image and audio processing engines, and even a problem in Apple’s Measure app.
Several were brought to Apple’s attention by security researchers from Google’s Project Zero team and Trend Micro’s Zero Day initiative, while others were flagged by independent researchers and even less likely sources like Zoom.
While a few of the security flaws are relatively innocuous, often requiring that a hacker have direct access to your device, a surprising number of them involve “maliciously crafted” items such as audio files, PDF files, and even fonts that could be sent to an unsuspecting user via email, messages, or even a web page.
- A shortcut may be able to bypass Internet permission requirements
- Processing a maliciously crafted audio file may lead to arbitrary code execution
- Playing a malicious audio file may lead to an unexpected application termination
- Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
- Processing a maliciously crafted font file may lead to arbitrary code execution
- A malicious application may be able to gain root privileges
- A sandboxed process may be able to circumvent sandbox restrictions
- A malicious application may be able to access Find My data
- Processing a maliciously crafted tiff file may lead to a denial-of-service or potentially disclose memory contents
- A malicious application may be able to bypass code signing checks
- Processing maliciously crafted web content may lead to arbitrary code execution
- Processing a maliciously crafted image may lead to arbitrary code execution
- A malicious attacker with arbitrary read and write capability may be able to bypass Pointer Authentication
- An attacker that has already achieved kernel code execution may be able to bypass kernel memory mitigations
- A remote attacker may be able to cause arbitrary code execution
- Processing a maliciously crafted image may lead to a denial of service
- Processing a maliciously crafted file may disclose user information
- A malicious application may be able to bypass certain Privacy preferences
- Joining a malicious Wi-Fi network may result in a denial of service or arbitrary code execution
To be clear, there is no evidence that any of these have been exploited, but the fact that they’ve already been found by ethical security researchers suggests that they’re also likely known to less ethical ones.
In fact, one of these fixes is for an issue we already know about — random Wi-Fi names that can break your iPhone’s wireless connectivity — but it turns out that researchers discovered it had the potential to open the door to even greater risks.
What Is Arbitrary Code Execution?
This technical-sounding phrase represents possibly the greatest risk of any security vulnerability, since it refers to allowing hackers to run small bits of application code on your device, which could have all sorts of unintended consequences.
In many cases, the security features built into iOS try to partition off sensitive data so that malicious code doesn’t get carte blanche access to the whole system, but there are often security vulnerabilities that break down these firewalls, particularly in cases where a problem can “disclose memory contents,” allowing a snippet of code to read anything that happens to be sitting in your iPhone’s RAM, which could be highly sensitive information like passwords or credit card numbers.
Of course, Apple continues to proactively improve security in each major iOS release, adding new features like BlastDoor that help to contain the damage that any malicious code can do from the most vulnerable entry points, like the Messages app. However, it’s very difficult to close every potential hole in today’s sophisticated mobile operating systems, and iOS is certainly not exempt from the problems caused by that kind of complexity.
Pegasus Industrial Spyware
Despite the addition of BlastDoor in iOS 14, a report by Amnesty International highlighted a piece of industrial spyware that’s been used for counterterrorism since 2014 that still works on devices running iOS 14.6.
Dubbed Pegasus, the tool takes advantage of zero-click vulnerabilities in the Messages framework that allows it to install spyware without any user knowledge or interaction. Once installed, it can secretly send messages and photos stored on the iPhone, and even record audio from phone calls or the built-in microphone.
NSO Group, the Israeli firm behind Pegasus, has been playing an advanced game of cat-and-mouse with Apple for years. No sooner does Apple close one security hole than NSO’s researchers find a new one to exploit to ensure that Pegasus continues to work as designed.
While Pegasus has been around for at least seven years, it came into the forefront more recently because of a forensic analysis by Amnesty International’s Security Lab that found that Pegasus has also been used to target and spy on “human rights defenders (HRDs) and journalists around the world” — specifically more than 80 journalists from 17 media organizations in 10 countries.
This research has uncovered widespread, persistent and ongoing unlawful surveillance and human rights abuses perpetrated using NSO Group’s Pegasus spyware.
To be clear, Pegasus is a targeted attack, which means that the odds of you finding this spyware on your own iPhone is slim — unless of course you’re somebody who has an interesting enough life to be the subject of scrutiny by organizations that specialize in this kind of espionage.
While there’s a good chance that iOS 14.7 will frustrate NSO’s efforts to keep Pegagus running on modern iPhones, there’s no reason to believe that these researchers won’t find new ways to exploit Apple’s operating systems for their own ends.
Even though most of us are extremely unlikely to become a target of serious professional malware like Pegasus, it’s a good cautionary tale to always keep current with the latest available software updates for our iPhones, iPads, and other devices.
We’ve long since reached the point where the potential for encountering serious bugs in a new iOS or iPadOS update is far less serious than the risk of having our devices compromised by hackers and malware.