Apple rushed out updates for iPhones, iPads, Macs and Apple Watches on Monday to patch a pair of critical security vulnerabilities. The updates protect users from arbitrary code execution that can be triggered by maliciously crafted PDFs or web content, Apple said in its release notes.
In both cases, “Apple is aware of a report that this issue may have been actively exploited,” the company said.
The updates include iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2 and security patches for Safari and macOS Catalina.
iOS 14.8 is a critical security patch
The security holes Apple closed can be exploited by sending a PDF or webpage though the Messages app. To make matters worse, an attack apparently does not require the victim to click or interact with the message at all.
The worrisome vulnerabilities were reported by The Citizen Lab and an anonymous researcher, Apple said.
“While analyzing the phone of a Saudi activist infected with NSO Group’s Pegasus spyware, we discovered a zero-day zero-click exploit against iMessage,” Citizen Lab said in a post about the security flaw it uncovered. “The exploit, which we call FORCEDENTRY, targets Apple’s image rendering library, and was effective against Apple iOS, MacOS and WatchOS devices.”
Monday’s updates caught many people off-guard because they come just days before the company is expected to release the final versions of iOS 15, iPadOS 15 and watchOS 8.
As is usual with security patches, there was no beta testing. These went straight from Apple to users’ iPhones, Macs, etc. The iPhone-maker has become much more willing to put out security patches like this — iOS 14.8 is itself a replacement for iOS 14.7.1, which was itself only a security patch, for example.
All that said, the names for the iPhone and iPad updates are surprising. A security-only patch typically would have been called iOS 14.7.2 or macOS 11.5.3. These big jumps in the version numbers ordinarily would indicate there are new features. Perhaps these are being hidden and will be announced at Apple’s September 14 press event.
watchOS 7.6.2, on the other hand, is a name that indicates it’s definitely simply a security update.
How to install the updates
Install iOS 14.8 or iPadOS 14.8 by connecting the device to a Mac, or to a PC running iTunes. Alternatively, an over-the-air update is also possible. That’s accomplished by opening the Settings app and going to General > Software Update.
To install the latest version of macOS Big Sur via Software Update, go to the Apple menu > System Preferences, then click Software Update. Another option is to install the new version from the App Store.
The watchOS 7.6.2 update can be installed directly onto an Apple Watch, as long as the wearable is connected to Wi-Fi. From the Settings app just navigate to General > Software Update. Alternatively, it can be installed from an iPhone by opening the Apple Watch app and going to My Watch > General > Software Update.
Update: This article was updated on Sept. 13 with details about the security vulnerabilities being patched.