The Mac Security Blog

Apple + Security News

Apple patches two in-the-wild vulnerabilities for macOS, iOS, iPadOS, watchOS

Posted on by

Apple has released a series of security updates to patch two critical vulnerabilities that the company says were “actively exploited” in the wild.

The following updates were released on Monday, September 13, 2021:

  • iOS 14.8
  • iPadOS 14.8
  • macOS Big Sur 11.6
  • Security Update 2021-005 Catalina
  • Safari 14.1.2 (build 14611.3.10.1.7 for Mojave and 15611.3.10.1.7 for Catalina)

Each of these updates patches one or both of the following issues:

Component: CoreGraphics

Impact: Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: An integer overflow was addressed with improved input validation.

Vulnerability ID: CVE-2021-30860, reported by The Citizen Lab

Component: WebKit

Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: A use after free issue was addressed with improved memory management.

Vulnerability ID: CVE-2021-30858, reported by an anonymous researcher

Every one of Apple’s operating systems received both updates, with two exceptions:

  • CVE-2021-30860 was evidently not patched for macOS Mojave
  • CVE-2021-30858 was evidently not patched in watchOS 7.6.2

It is unclear whether those vulnerabilities were simply not exploitable on those operating systems, or if there was some other reason why they were not patched. We have reached out to Apple for clarification and will update this article if Apple responds.

The bug that wasn’t patched for Mojave is reportedly one that was exploited by Pegasus spyware on iOS, as we reported on back in July:

Pegasus Spyware Hacks iPhones of Prominent Individuals

Apple’s next versions of its flagship operating systems—iOS 15, iPadOS 15, and macOS Monterey—are due this fall.

Apple quietly announced the iOS 15 and iPadOS 15 release date, Monday, September 20, shortly after its September 14th “California Streaming” Apple Event which we covered here on The Mac Security Blog. However, Apple has not yet announced precisely when macOS Monterey will be released.

Are older versions of macOS protected? What about iOS?

Apple typically only releases security updates for the current and two previous versions of the Mac operating system. This means that macOS Big Sur (aka macOS 11), macOS Catalina (macOS 10.15), and macOS Mojave (macOS 10.14) are currently supported. All older versions are no longer receiving any security updates whatsoever.

For optimal security and privacy, it’s best to stay on the latest version of macOS that your Mac supports, and use trusted protection tools—like Intego’s Mac Premium Bundle X9—to keep your Mac as safe as possible from viruses and cyber threats.

As for iOS (and iPadOS), Apple currently releases security updates for the current version, with occasional updates for a previous version. For now, this means that iOS 14 and iPadOS 14 get all security updates, and iOS 12 (the last version that will run on older mobile devices) occasionally gets updates to resolve some—but not all—vulnerabilities.

After iOS 15 and iPadOS 15 are released next Monday, Apple has pre-committed to continue releasing updates for iOS 14 and iPadOS 14.  This marks a departure from Apple’s past practices, especially since versions 14 and 15 support the same hardware. However, it remains to be seen whether there will be a similar relationship as currently exists between 14 and 12 (where the older version doesn’t receive patches for every security flaw). It also remains to be seen whether Apple will continue to release occasional iOS 12 updates to offer continued support for older hardware that cannot run the latest iOS or iPadOS.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes. We’ll cover the latest Apple Event there as well.

Be sure to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog to stay up to date on the most important Apple, security, and privacy news. Follow Intego on your favorite social media channels to ensure you never miss an update: Twitter, Facebook, LinkedIn, Instagram, and YouTube.

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer, and an award-winning public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 25 years, which is often featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on X/Twitter, LinkedIn, and Mastodon. View all posts by Joshua Long →