Apple address actively exploited zero-day with OS updates

Apple releases iOS 15.0.2 and iPadOS 15.0.2 to address new zero-day bug

Image:
Apple releases iOS 15.0.2 and iPadOS 15.0.2 to address new zero-day bug

The company says it is aware of a report that the issue may have been actively exploited

Apple on Monday released iOS 15.0.2 and iPadOS 15.0.2 to address a new zero-day bug that it says is being exploited in the wild.

The flaw, indexed as CVE-2021-30883, is a memory corruption issue in the "IOMobileFrameBuffer" component (a kernel extension for managing the screen framebuffer on Apple devices) that could allow an application to run arbitrary commands with kernel privileges on vulnerable devices.

While Apple did not provide any details on how this zero-day was used in attacks, they noted that there were reports of it being actively used in attacks.

Apple deliberately keeps its bug reports vague so as to allow most of the users to apply the patch and prevent other adversaries from weaponising the bug.

The company said it learned of the issue from an anonymous security researcher, and the bug has now been addressed with improved memory handling.

The latest updates are available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Soon after Apple released the updates, security researcher Saar Amar shared additional details and a proof-of-concept (PoC) exploit for CVE-2021-30883, which was derived from reverse engineering the patch.

Amar noted that "this attack surface is highly interesting because it's accessible from the app sandbox (so it's great for jailbreaks) and many other processes, making it a good candidate for LPEs exploits in chains."

Security experts are now advising iPhone and iPad users to update their devices to the latest versions to mitigate the security vulnerability.

CVE-2021-30883 is the second zero-day impacting IOMobileFrameBuffer after Apple addressed a similar memory corruption issue (CVE-2021-30807) in July 2021.

In total, Apple has fixed 17 zero-day bugs since the start of the year.

Last month, the iPhone maker released a suite of new updates for iOS, watchOs and macOS to fix a critical bug that security researchers said was exploited by spyware to spy on a Saudi activist.

The researchers from the University of Toronto's Citizen Lab said the exploit, which had existed since February 2021, enabled attackers to deploy NSO Group's Pegasus spyware on an iPhone, iPad, Apple Watch or Mac computer, without requiring the users to click on any links.

Also last month, a security researcher dropped PoC exploit code for three iOS zero-day bugs after Apple delayed patching and failed to credit the researcher.

In September, researchers also disclosed a zero-day in Apple's macOS Finder system which enabled malicious actors to run arbitrary commands on Macs running all versions of macOS, including the latest Big Sur edition.

The bug was found by independent cybersecurity researcher Park Minchan who reported it to SSD Secure Disclosure. SSD then alerted Apple about the bug, and the company silently patched it without issuing a CVE identification number.