Update Your Apple Device Now to Plug a Critical and Actively-Exploited Zero-Day

  • Apple has released a minor security patch for iOS 14.7 and macOS Big Sur 11.5, addressing its 13th zero-day this year.
  • The flaw is a privilege escalation initiated by a local app that triggers memory corruption to execute arbitrary code.
  • This is unlikely to be related to the recent rumors around an NSO Pegasus exploit that targets fully-patched iPhones, but it’s still being actively exploited.

Only five days after Apple released iOS 14.7, fixing 37 flaws of varying importance, the tech firm is back with an emergency update that addresses a critical zero-day under active exploitation. Tracked as “CVE-2021-30807”, a privilege escalation buffer overflow bug allows a local application to escalate its rights on the system. The vulnerability exists due to a boundary within the IOMobileFrameBuffer subsystem, potentially allowing a local app to trigger memory corruption and execute arbitrary code on the target device with kernel privileges.

It is important to note that for the exploitation of this bug, the attacker would need to have local access to the target device and the authentication credentials. Even with this prerequisite which rules out a wide spectrum of exploit possibilities, the flaw is still reported as actively exploited, so updating your Apple device is imperative. The versions that address the problem are iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1. It is a small update, but it’s still important to apply as soon as possible, especially if your device is potentially accessible by other people.

According to a security researcher who has published a proof of concept exploit for CVE-2021-30807 on Twitter, this flaw could be useful for a jailbreak which is something that the owners of iPhones would do themselves, having local access and credentials.

Also, Saar Amar, a Microsoft researcher, claims to have discovered this vulnerability four months ago and now posted a detailed technical write-up on the flaw, so if you’re interested in diving deeper, you should have a look. The researcher has also promised to release a full exploit on the flaw, which he was planning to do next month, but it appears that Apple’s emergency fix caught him by surprise.

As for the NSO Pegasus zero-day that was rumored to be affecting fully-patched iPhones and which was somewhat expected to be addressed last week, this one doesn’t appear to be it. Local access privilege escalation doesn’t match the remote exploitation context that would typically characterize a Pegasus exploit, so this was either addressed in one of last week’s WebKit fixes or Apple’s security engineers need more time to develop a fix for it. That is, if it even exists.

Latest
ICC World Test Championship Final 2023 Live Stream: How to Watch Test Cricket Online from Anywhere 
The pinnacle of test cricket is upon us, and the excitement is high ahead of what promises to be a thrilling contest...
How to Watch Avatar: The Way of Water Online from Anywhere
This year, Avatar: The Way Of Water became the third-highest-grossing picture of all time, collecting more than 2 billion dollars since its...
How to Watch It’s Always Sunny in Philadelphia Season 16 Online from Anywhere
It’s Always Sunny in Philadelphia Season 16 is here, and you will find below the premiere date, cast, plot, episode release schedule,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari