Apple Releases Urgent Patch for New Zero-Day Vulnerability

Apple Releases Urgent Patch for New Zero-Day Vulnerability

Summary

On Monday 11th October 2021, Apple released security updates to fix a zero-day vulnerability which is been exploited in the wild targeting iPhone and iPad. This vulnerability is a critical memory corruption bug in the IOMobileFrameBuffer tracked as CVE-2021-30883. This allows an application to execute arbitrary code with kernel privileges on vulnerable devices.

“Apple is aware of a report that this issue may have been actively exploited.” Apple stated in the advisory they published. When the vulnerability was published security researcher Saar Amar shared a proof-of-concept (PoC) exploit “This attack surface is highly interesting because it’s accessible from the app sandbox (so it’s great for jailbreaks) and many other processes, making it a good candidate for LPEs exploits in chains (WebContent, etc.).” stated Saar Amar in his article.

This is the 17th zero-day flaw apple has address in 2021 and 2nd zero-day IOMobileFrameBuffer vulnerability. The impacted devices are iPhone 6s and latest, iPad Pro (all models), iPad Air 2 and latest, iPad 5th generation and latest, iPad mini 4 and latest, and iPod touch (7th generation).

Impact

  • Allows an application to execute arbitrary code with kernel privileges on vulnerable devices. This can be used to steal data.

Remediate

  • Update to the latest version iOS 15.0.2 and iPadOS 15.0.2

References