Apple Patches Actively Exploited Zero-Day in iOS, MacOS

Apple Mac security

Company urges iPhone, iPad and Mac users to install updates to fix a critical memory corruption flaw that can allow for attackers to take over a system.

Apple patched a zero-day flaw on Monday, found in both its iOS and macOS platforms that’s being actively exploited in the wild and can allow attackers to take over an affected system.

The memory-corruption flaw, tracked as CVE-2021-30807, is found in the IOMobileFrameBuffer extension which exists in both iOS and macOS, but has been fixed according to specific device platform.

Apple released three updates, iOS 14.7., iPadOS 14.7.1 and macOS Big Sur 11.5.1 to patch the vulnerability on each of the platforms Monday.

Exploiting CVE-2021-30807 can allow for threat actors “to execute arbitrary code with kernel privileges,” Apple said in documentation describing the updates.

“Apple is aware of a report that this issue may have been actively exploited,” the company said. Apple addressed the issue in each of the updates with “improve memory handling,” the company said.

iOS devices that should be updated immediately are: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

Though Apple attributed the discovery of the bug to an “anonymous researcher,” a security researcher at the Microsoft Security Response Center (MSRC) came forward separately on Monday and tweeted that he had discovered the vulnerability some time ago but hadn’t yet found the time to report it to Apple.

“So, as it turns out, an LPE vulnerability I found 4 months ago in IOMFB is now patched in iOS 14.7.1 as in-the-wild,” Saar Amar wrote on Twitter, sharing a link to “some knowledge and details about the bug and some ways to exploit it.”

In the linked documentation, Amar describes the vulnerability as “straightforward” and existing “in a flow called from the external method 83 of AppleCLCD/IOMFB (which is IOMobileFramebufferUserClient::s_displayed_fb_surface).”

To trigger the flaw, “simply calling the external method 83 will do the job (and we can obtain the userclient to AppleCLCD/IMOFB from the app sandbox),” Amar wrote. He describes a proof of concept exploit in detail in his post.

Amar said he planned to “find some extra time to work on it in August,” but Apple released its updates patching the flaw before he got around to it.

“Just to be clear, I intended to submit this bug to Apple right after I’ll finish the exploit [SIC],” he wrote. “I wanted to get a high- quality submission, but I did not have the time to invest in March.”

As iPhone users update to fix yet another Apple zero-day, they also continue waiting for the company to patch a flaw that makes their devices easy prey for Pegasus spyware. Last week leaked data suggested that the notorious Pegasus mobile spyware from Israeli-based NSO Group is exploiting a zero-click zero-day in Apple’s iMessage feature.

The news and evidence of a Pegasus spyware blitz spurred discussion about the security of Apple’s closed ecosystem and a call for accountability and potential changes to the company’s security model.Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Suggested articles