Apple patches zero-day vulnerability in iOS, iPadOS, macOS under active attack
Apple on Monday patched a zero-day vulnerability in its iOS, iPadOS, and macOS operating systems, only a week after issuing a set of OS updates addressing about three dozen other flaws.
The bug, CVE-2021-30807, was found in the iGiant's IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device.
CVE-2021-30807, credited to an anonymous researcher, has been addressed by undisclosed but purportedly improved memory handling code.
"An application may be able to execute arbitrary code with kernel privileges," the iDevice maker said in one of its duplicative advisories. "Apple is aware of a report that this issue may have been actively exploited."
Apple did not, however, say who might be involved in the exploitation of this bug. Nor did the company respond to a query about whether the bug has been exploited by NSO Group's Pegasus surveillance software.
Last week, Amnesty International and media advocacy group Forbidden Stories published a series of articles called the Pegasus Project detailing how NSO's software has been used to spy on politicians, journalists, and political activists.
The groups said they had found evidence that "Pegasus zero-click attacks have been used to install spyware on iPhones." Specifically, they said that the software had been used to attack iMessage on iPhone 11 and 12.
Shortly after Apple's advisory was published, PoC exploit code was posted via Twitter:
Separately, security researcher Saar Amar said he had identified the flaw four months ago and didn't report it, as he intended to work on developing a high-quality bug submission next month. But seeing the flaw has been disclosed, he has published a post about his findings.
The IOMobileFrameBuffer has provided a path into Apple's software several times over the past decade. Presumably Cupertino's coders will be taking a closer look at the software to see if there's anything else they've missed.