Apple has just released the security content of the new IOS 15 operating system update, and the iPhone maker fixed 22 vulnerabilities, some of which are critical.
Security issues fixed in iOS 15 include four vulnerabilities in the WebKit browser engine that powers Safari, reported by Sergei Glazunov, an ethical hacker of Google’s Project Zero.
According to Apple support page, the issue would mean that processing maliciously crafted web content could lead to the execution of arbitrary code. In addition, a vulnerability labeled CVE-2021-30810 was also fixed in iOS 15, meaning that an attacker in physical proximity might be able to force a user into a malicious Wi-Fi network while configuring the device.
None of the security issues fixed in iOS 15 are yet used by hackers to attack iPhones, but some of them are serious. âUnfortunately, there are a few high severity vulnerabilities, such as WebKit issues, that would allow an attacker to remotely exploit and gain access to the device,â says Sean Wright, SME Security Manager at Immersive Labs . In some cases, he adds, attackers could then gain privileged access to your iPhone.
Does iOS 14.8 fix the same issues as iOS 15?
Some of the issues fixed in iOS 15 were also fixed in the iOS 14.8 update, but not all of them. It’s a bit confusing, because starting with iOS 15, Apple will offer security updates only on its predecessor iOS 14, so you can avoid bugs and stay safe without upgrading immediately.
When Apple released fixes for iOS 14.8 last week, including the flaw exploited by spyware Pegasus, it looked like we were seeing this new iOS 15 feature in action. I still think it is. However, the iOS 15 security update fixes 22 vulnerabilities and iOS 14.8 fixes 14, and there is no iOS 14.8.1 upgrade option for users on older operating systems.
Nine of the 22 issues fixed in iOS 14.8 also appear in iOS 15: three of the WebKit vulnerabilities reported by Google: CVE-2021-30846, CVE-2021-30848, and CVE-2021-30849. Another security issue fixed in iOS 14.8 and iOS 15 is in libexpat, which could allow an attacker to perform denial of service attacks, CVE-2013-0340. Meanwhile, the two iOS updates fix three vulnerabilities in FontParser where processing a maliciously crafted dfont file can lead to the execution of arbitrary code, plus a CVE in Kernal and another in Preferences.
One explanation for the additional fixes in iOS 15 could be that Apple only fixes critical security issues in iOS 14.8, such as those already exploited in the wild. The Pegasus vulnerability would fall into this range, as would some of the WebKit issues. Apple may not have given full details of the vulnerabilities fixed in iOS 14.8 or Apple may be in the process of releasing another security patch in addition to 14.8.
I asked Apple, and the iPhone maker hasn’t answered me yet. I will update this story if and when they respond.
Do I need to upgrade to iOS 15 to stay safe?
Whatever the reason, it looks like upgrades to iOS 15 will now be more secure than those that don’t. For this reason, you need to determine if you are the target of attacks and how they would affect you if you were hit. As someone who works in security, I always recommend that people stay as safe as possible, even if that means experiencing a few bugs.
Wright says to update as soon as possible, but notes that none of the security issues fixed in iOS 15 are actively exploited, “and details on how to exploit them are not publicly available, which helps reduce risks to ordinary users. “
You should update to iOS 14.8 if you haven’t already, to make sure you’re protected against attacks already used to hack iPhones. But I understand that iOS 15 is a big upgrade, so you might want to leave it for a few days and see if another security update 14 emerges, especially since Apple says attackers don’t. not yet use the latest issues fixed in iOS 15 to attack iPhones.