Apple has released fixes for more than 20 vulnerabilities in iOS 15, many of which could be used for arbitrary code execution.
The updates in iOS 15.1 include patches for flaws in the kernel, the GPU drivers, WebKit, and other components of the operating system that can be used for code execution. Unlike several of Apple’s recent iOS updates, there’s no indication that any of the vulnerabilities have been exploited in the wild at this point.
Of the vulnerabilities patched in this release, 12 of them can lead to arbitrary code execution. There are three separate code-execution vulnerabilities in the iOS kernel, two of which are memory corruption bugs, while the third is a use-after-free. There are also two code-execution flaws in the iOS GPU drivers, a memory corruption bug and an out-of-bounds write, both of which could allow an attacker to run code with kernel privileges.
There is also an odd issue with Siri fixed in this release. The bug could allow an attacker with physical access to the device to view the user’s contacts from the lock screen without entering the PIN or using FaceID.
Several of the bugs fixed in iOS 15.1 also are patched in macOS Monterey 12.01, including the three kernel vulnerabilities. The new version of Monterey also includes patches for two code-execution bugs in the Intel graphics driver, both of which could be used to run arbitrary code with kernel privileges.
Monterey 12.1 also includes fixes for six vulnerabilities in the WebKit framework, one of which could allow an attacker to bypass the HTTP strict transport security (HSTS) protection, a feature that allows sites to tell a browser that they should only be accessed using HTTPS.
The updates for iOS and macOS are available for newer devices now.