Security & Privacy

Apple releases iOS 15, iPadOS 15, watchOS 8, Safari 15, and more

Posted on September 20th, 2021 by

On Monday, Apple released updates to most of its operating systems, including the much-anticipated iOS 15 and iPadOS 15. Apple also released watchOS 8, tvOS 15, Safari 15 for Mac, and Xcode 13. Here’s a brief overview of some notable features and security fixes included with each update.

iOS 15.0 and iPadOS 15.0

Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)

Apple describes the update as follows:

iOS 15 introduces new ways to stay connected, powerful updates that help users focus and explore, and intelligent features to get more done with iPhone. FaceTime updates provide more natural video calls, Focus helps users reduce distraction, new features like Live Text use on-device intelligence to surface useful information, upgrades to Maps provide brand new ways to navigate the world, and much more.

A few highlights:

  • FaceTime SharePlay enables you to share and enjoy content with friends while on a FaceTime call
  • Shared with You is a new section that appears in Photos, Safari, Apple News, Music, Apple Podcasts, and the Apple TV app that displays the photos, articles, music, and other content shared by friends and family in Messages
  • Focus, a new way to help users reduce distraction by filtering notifications based on what a user wants to focus on in that moment.
  • New and improved Maps app

There is, of course, a lot more in terms of new features and improvements. You can see the full list of them for iOS here and for iPadOS here.

At least 22 security related issues were addressed as well. Some of the more interesting ones include:

AppleMobileFileIntegrity
Impact: A local attacker may be able to read sensitive information
Description: This issue was addressed with improved checks.

Face ID
Available for devices with Face ID
Impact: A 3D model constructed to look like the enrolled user may be able to authenticate via Face ID
Description: This issue was addressed by improving Face ID anti-spoofing models.

Telephony
Impact: In certain situations, the baseband would fail to enable integrity and ciphering protection
Description: A logic issue was addressed with improved state management.

Wi-Fi
Impact: An attacker in physical proximity may be able to force a user onto a malicious Wi-Fi network during device setup
Description: An authorization issue was addressed with improved state management.

Siri
Impact: A local attacker may be able to view contacts from the lock screen
Description: A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management.

libexpat
Impact: A remote attacker may be able to cause a denial of service
Description: This issue was addressed by updating expat to version 2.4.1.

The libexpat (XML parser) vulnerability was also addressed in iOS and iPadOS 14.8, released last week. However, those details were not added to the iOS 14.8 security release notes until iOS 15 was made public. Interestingly, the CVE number for this vulnerability (CVE-2013-0340) indicates that it has been public knowledge for approximately 8 years. It is unclear why it took Apple so long to resolve this issue.

It is also worth noting that two serious vulnerabilities that were addressed in iOS/iPadOS 14.8, were not mentioned (and may not have been addressed) in the iOS/iPadOS 15 update. One of the fixes in 14.8 was for WebKit, and one for CoreGraphics (a vulnerability reportedly leveraged by Pegasus spyware), both of them apparently “actively exploited” in the wild. It is unclear whether these fixes were implemented early and thus were already part of the iOS 15 development, as one might expect. But that does raise the question, why was the libexpat fix listed in both the 14.8 and the 15 security release notes?

On Monday, Intego reached out to Apple to ask whether iOS 15 includes patches for these two in-the-wild vulnerabilities, but Apple has not yet responded.

The full list of security issues addressed in iOS and iPadOS 15 can be found here.

To update your devices, go to Settings > General > Software Update on your iPhone, iPad, or iPod touch. You can also update your device by connecting to a Mac, selecting your device in the Finder, and following the instructions there. On Windows, you can do this in iTunes after connecting your device to your PC.

tvOS 15.0

Available for: the Apple TV HD and Apple TV 4K
New features include:

  • Support for Spatial Audio when used with AirPods Pro or AirPods Max
  • New For All of You feature and a new Shared with You feature
  • New HomeKit features

At least 14 security issues were addressed. All of them were addressed in iOS and iPadOS 15.0 as well. The full list of security issues addressed can be found here.

The tvOS update can be downloaded directly from the Apple TV by going to Settings > System > Update Software.

watchOS 8.0

Available for: Apple Watch Series 3 and later
New features include:

  • New workout types, Tai Chi and Pilates
  • Fall detection update
  • Sleeping respiratory rate tracking
  • New watch faces

At least 15 security issues were addressed. All of them were addressed in the aforementioned operating systems as well. The full list of security issues addressed can be found here.

To install this update, make sure your iPhone is up to date first, and that both your iPhone and Apple Watch are connected to the same Wi-Fi network, and also that your Apple Watch has at least a 50% charge. Then open the Watch app on your iPhone and tap General > Software Update.

Safari 15.0

Safari 15, available for macOS Big Sur and macOS Catalina (and also shipping this fall with macOS Monterey), delivers faster performance, improved security, and the following new features:

  • Tab Groups help you save and organize your tabs and easily access them across devices
  • Redesigned tabs have a rounder and more defined appearance and take on the color of the webpage
  • Compact tab bar option shows more of your web page on screen
  • HTTPS upgrade automatically switches sites from HTTP to more secure HTTPS when available

Sadly, macOS Mojave (10.14) will apparently not be enjoying these improvements. Apple typically releases major Safari updates for each new macOS version and the two previous versions, and since Safari 15 is planned for macOS Monterey (macOS 12), the new browser is only being backported to macOS Big Sur (11) and macOS Catalina (10.15).

For now, at least, that also apparently means that macOS Mojave users will also miss out on the four security fixes this new version of Safari brings, all of them for WebKit. As the web browser and its security are the first layer of defense when browsing the web, this writer strongly recommends to switch to an alternative browser (or upgrade to a newer version of macOS, if possible) sooner rather than later. If your Mac here are many Mac browser options available, including Mozilla Firefox and Microsoft Edge (a Chromium-based browser, without the privacy invasions of Google Chrome).

Xcode 13

Available for: macOS Big Sur 11.3 and later
Xcode received an update to the IDE Xcode Server that patched 8 vulnerabilities in nginx (open source web server software). Similar to the libexpat patches for iOS, many of the nginx CVEs date back many years, as far back as 2016. It’s pretty interesting to see Apple taking a sudden interest in patching years-old versions of open source software that it incorporates into its products.

Back up before you upgrade

Before you upgrade your iOS, iPadOS, or macOS device to the latest operating system, it’s always a good idea to back up your data first. This gives you a way to recover and restore your important data in case something does not go as planned.

See also our related article on checking your macOS backups:

How to Verify Your Backups are Working Properly

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. He conducts independent malware protection tests, and also writes about privacy and security related matters on his blog Security Spread. Follow him on Twitter at @SecuritySpread. View all posts by Jay Vrijenhoek →