What you need to know
- Apple has released iOS 14.7.1.
- It appears to have patched a vulnerability that made it possible to install Pegasus spyware on an iPhone with no user input.
It appears that Apple has likely patched a vulnerability in its iPhone software with the latest version of iOS 14 that was exploited by Pegasus spyware, according to recent reports.
The Register notes that iOS 14.7.1 came out Monday, and in all likelihood patched a vulnerability in iOS 14.6:
Apple on Monday patched a zero-day vulnerability in its iOS, iPadOS, and macOS operating systems, only a week after issuing a set of OS updates addressing about three dozen other flaws.
The bug, CVE-2021-30807, was found in the iGiant's IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device.
CVE-2021-30807, credited to an anonymous researcher, has been addressed by undisclosed but purportedly improved memory handling code.
Apple's traditionally bland software notes simply said "An application may be able to execute arbitrary code with kernel privileges... Apple is aware of a report that this issue may have been actively exploited."
There's no way that Apple would be forthcoming about what specific issue was patched or whether it relates to recent stories about NSO Group and its Pegasus spyware, reportedly used to target the phones of journalists and activists as well as government officials. A report previously noted the software could be installed on the iPhone without any user input.
iOS 14.7.1 also helped to fix a bug that stopped Touch ID iPhones from unlocking Apple Watch, you can read about that fix here.