Just one day before iOS 15 is expected to release, iOS 14, etc. In the year between those big updates, smaller point patches are released. These in-between updates are usually focused on bug/security fixes, though they do often come with their own new features. iOS 14.7 added improved HomePod controls in the Home app, iOS 14.6 enhanced AirTag functionality, and so on.
At a certain point, however, these smaller updates stop so Apple can focus on delivering its next major software upgrade. iOS 14.7 was released this past July. Since then, it's been expected that it would be the final iOS 14 update leading up to iOS 15. iOS 15 is set to be a fairly large update to the iPhone, bringing a new notification system, Focus Modes, new FaceTime features, and a whole lot more.
Despite all of that — and the fact that iOS 15 is just one day away — Apple has released iOS 14.8 to the surprise of everyone. There aren't any new features or app changes in this update. Instead, it's 100 percent focused on security patches. Apple calls out two patches on its website, the first of which is for the CoreGraphics component in iOS. Before this fix, "processing a maliciously crafted PDF may lead to arbitrary code execution." There's also an update to WebKit to fix a vulnerability where "processing maliciously crafted web content may lead to arbitrary code execution."
Why iOS 14.8 Is Such An Important Update
Apple releases multiple security patches in any given year, though some are more important than others. Regarding iOS 14.8, these two items Apple's addressing are pretty critical. As noted by The Citizen Lab (the organization that disclosed the vulnerabilities to Apple), these exploits were used by NSO Group to infect a Saudi activist's iPhone with its 'Pegasus' spyware. As The Citizen Lab explains, "We determined that the mercenary spyware company NSO Group used the vulnerability to remotely exploit and infect the latest Apple devices with the Pegasus spyware. We believe that FORCEDENTRY has been in use since at least February 2021."
In other words, these two vulnerabilities with CoreGraphics and WebKit could allow an iPhone to become infected with spyware without any input. Even if someone is perfectly safe on their phone and is mindful of what they click/tap, spyware like Pegasus can use these things to quietly infect an iPhone without drawing any attention to themselves.
Given how potentially harmful these vulnerabilities are, it's recommended everyone update to iOS 14.8 as quickly as possible. Even with iOS 15 possibly arriving in less than 24 hours, this issue should be fixed ASAP. The update is available now for the iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, the 5th gen iPad and later, iPad mini 4 and later, and the 7th gen iPod touch. Open the Settings app, tap 'General' tap 'Software Update,' and the iOS 14.8/iPadOS 14.8 update as soon as it shows up.
Source: Apple, The Citizen Lab