It took Apple more than two weeks to close a security hole in the still widespread iOS 14 that the company knew was already being exploited. The bug with CVE ID 2021-30883 is located in the kernel extension IOMobileFrameBuffer and consists of a memory error that attackers could use to execute arbitrary code with kernel privileges. To this day, Apple has not revealed who and how the security breach was exploited.
iOS 14 should continue to receive updates
In the night of Wednesday, the group submitted the security update iOS 14.8.1 and iPadOS 14.8.1 after. Said error in IOMobileFrameBuffer was already fixed in iOS and iPadOS 15.0.2 in the night of October 12th. Why the group then needed this long time to fix the bug in iOS 14 remains unclear. When iOS 15 was released, the company announced that it would at least provide iOS 14 with security updates in the future.
Fixed other issues
iOS 14.8.1 and iPadOS 14.8.1, according to Apple, have eleven other bugs in WebKit, the kernel, Sidecar, the GPU drivers, CoreGraphics, Audio and Continuity Camera, among others. Many of the loopholes can be used to execute malicious code. It is unclear whether Apple’s list really contains all the bugs that have been fixed or whether others will be delivered later – unfortunately, you cannot rely on their completeness.
Information published later
In addition to the information on the iOS and iPadOS 14 security update, Apple has published further information on existing security updates that were briefly missing. Information is now available macOS 12.0.1, macOS 11.6.1, Security Update 2021-007 Catalina, WATCHOS 8.1, tvOS 15.1 and iOS 15.1 and iPadOS 15.1 before. It describes dozens of loopholes that the group has fixed; many allow someone else’s code to run. In some cases, several so-called “additional recognition” statements are made that do not contain any details about the actual errors. Apple’s information policy remains extremely vague in security matters. (bsc)