Apple releases new version of iOS to patch a zero-day flaw under active attack
iOS 14.7.1 comes hot on the heels of iOS 14.7, which also patched a number of code execution flaws
Apple has released an updated version of the iOS mobile operating system which patches a vulnerability active attack.
The vulnerability, tracked as CVE-2021-30807, affects IOMobileFrameBuffer, a kernel extension for managing the screen framebuffer on Apple devices. In a security update Apple says the vulnerability could allow an attacker to execute arbitrary code with kernel privileges. It also says it is "aware of a report that this issue may have been actively exploited".
The bug is the 13th zero-day addressed by Apple in 2021. In the latest versions of macOS Big Sur 11.5.1, iOS 14.7.1 and iPadOS 14.7.1 memory handling has been improved to patch the latest vulnerability.
The company does not publish a detailed account of vulnerabilities in its software until most people have downloaded patches or upgrades, but it is thought that to exploit the vulnerability a user would first have to install a malicious app.
Researcher Saar Amar claims to have discovered the recently-patched vulnerability 4 months ago, creating a proof of concept attack using the WebKit browser engine. Amar said he did not have time to document it fully and inform Apple. He published his findings yesterday on GitHub.
Apple is urging users to update their operating systems to macOS Big Sur 11.5.1, iOS 14.7.1 or iPadOS 14.7.1, depending on the device, as soon as possible.
This advice comes days after Apple advised customers to upgrade to iOS 14.7 and iPadOS 14.7 to patch a string of other code-execution vulnerabilities.
Still absent from any security fixes, however, is protection against Pegasus spyware, which can reportedly be installed on iPhones by a 'zero-click' method, probably simply by calling them.
After infecting a device, Pegasus - which is sold by the Israeli surveillance firm NSO Group and has been the subject of major revelations by Forbidden Stories, Amnesty International and various media organisations - allows operators to record calls, exfiltrate emails, photos, and messages and activate cameras and microphones.
Pegasus may have been used to snoop on more than 1,000 journalists, rights activists politicians and other prominent individuals from about 50 countries. It is also implicated in the murder of Saudi journalist Jamal Khashoggi.
Apple's share price took a knock following the Pegasus revelations, not that it is necessarily more vulnerable to attacks by Pegasus than Android, but more because security is one of its key selling points.