Apple published iOS 14.8.1, iPadOS 14.8.1, watchOS 8.1, and tvOS 15.1 on Monday and Tuesday, fixing a total of 24 CVEs.
The CVEs, which include various problems in iOS components that, if exploited, might lead to arbitrary code execution, sometimes with kernel privileges that would allow an attacker to reach the heart of the operating system, are detailed on Apple’s security website.
In one example, Apple stated that it is “aware of a report that this problem may have been actively exploited” in IOMobileFrameBuffer for Apple TV, a “maybe” that researchers corroborated.
This one is especially concerning because researchers have previously discovered that the issue can be exploited from the browser, making it “ideal for one-click & water-holing mobile attacks,” according to mobile security firm ZecOps.
In a watering-hole operation, a threat actor places malware on websites that are likely to attract a target, hoping that someone would visit and become infected.
Apple, understandably, puts a tight lid on information that may aid more attackers in their attacks. What is undisclosed is whether or not this flaw may allow an application to run arbitrary code with kernel privileges.
Other security-related flaws stand out in the two dozen CVEs Apple patched this week, according to Malwarebytes Labs.
Apple announced earlier this year that consumers would have the option of upgrading to iOS 15 as soon as it was available, or remaining on iOS 14 and receiving essential security upgrades until they were ready to upgrade.