Apple urges iPhone, iPad & Mac users to install updates to fix a critical memory corruption flaw that can allow for attackers to take over a system.
Apple patched a zero-day flaw on Mon., found in both its iOS & macOS platforms that’s being actively exploited in the wild & can allow attackers to take over an affected system.
The memory-corruption flaw, tracked as CVE-2021-30807, is found in the IOMobileFrameBuffer extension which exists in both iOS & macOS, but has been fixed according to specific device platform.
Exploiting CVE-2021-30807 can allow for threat players “to execute arbitrary code with kernel privileges,” Apple stated in documentation describing the updates.
“Apple is aware of a report that this issue may have been actively exploited,” the company explained. Apple addressed the issue in each of the updates with “improve memory handling,” the company observed.
iOS devices that should be updated immediately are iPhone 6s & later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation & later, iPad mini 4 & later, & iPod touch (7th generation).
Though Apple attributed the discovery of the bug to an “anonymous researcher,” a security researcher at the Microsoft Security Response Centre (MSRC) came forward separately on Mon. & tweeted that he had discovered the vulnerability some time ago but hadn’t yet found the time to report it to Apple.
“So, as it turns out, an LPE vulnerability I found 4 months ago in IOMFB is now patched in iOS 14.7.1 as in-the-wild,” Saar Amar wrote on Twitter, sharing a link to “some knowledge & details about the bug & some ways to exploit it.”
In the linked documentation, Amar describes the vulnerability as “straightforward” and existing “in a flow called from the external method 83 of AppleCLCD/IOMFB (which is IOMobileFramebufferUserClient::s_displayed_fb_surface).”
To set-off the flaw, “simply calling the external method 83 will do the job (& we can obtain the user client to AppleCLCD/IMOFB from the app sandbox),” Amar wrote. He describes a proof-of-concept exploit in detail in his post.
Patching the Flaw
Amar outlined he planned to “find some extra time to work on it in Aug.,” but Apple released its updates patching the flaw before he got around to it.
“Just to be clear, I intended to submit this bug to Apple right after I’ll finish the exploit [SIC],” he wrote. “I wanted to get a high-quality submission, but I did not have the time to invest in March.”
As iPhone users update to fix yet another Apple zero-day, they also continue waiting for the company to patch a flaw that makes their devices easy prey for Pegasus spyware.
Last week leaked data suggested that the notorious Pegasus mobile spyware from Israeli-based NSO Group is exploiting a zero-click zero-day in Apple’s iMessage feature.
The news & evidence of a Pegasus spyware blitz started discussion about the security of Apple’s closed ecosystem & a call for accountability & potential changes to the company’s security model.