Apple has released a security update for iOS and iPad that addresses a critical vulnerability reportedly being exploited in the wild.
The update has been made available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as CVE-2021-30883 and allows an application to execute arbitrary code with kernel privileges. Kernel privileges can be achieved by using a memory corruption issue in the "IOMobileFrameBuffer" component.
Kernel privileges are a serious matter as they offer an attacker more than administrator privileges. In kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.
Researchers have already found that this vulnerability is exploitable from the browser, which makes it extra worrying.
> We can confirm that the recently patched iOS 15.0.2 vulnerability, CVE-2021-30883, is also accessible from the browser: perfect for 1-click & water-holing mobile attacks. This vulnerability is exploited in the wild. Update as soon as possible. <https://t.co/dhogxTM6pT>
>
> – ZecOps (@ZecOps) October 12, 2021
Watering holes are used as a highly targeted attack strategy. The attacker infects a website where they knows the intended victim(s) visits regularly. Depending on the nature of the infection, the attacker can single out their intended target(s) or just infect anyone that visits the site unprotected.
IOMobileFramebuffer is a kernel extension for managing the screen framebuffer. An earlier vulnerability in this extension, listed as CVE-2021-30807 was tied to the Pegasus spyware. This vulnerability also allowed an application to execute arbitrary code with kernel privileges. Coincidence? Or did someone take the entire IOMobileFramebuffer extension apart and save up the vulnerabilities for a rainy day?
Another iPhone exploit called FORCEDENTRY was found to be used against Bahraini activists to launch the Pegasus spyware. Researchers at Citizen Lab disclosed this vulnerability and code to Apple, and it was listed as CVE-2021-30860.
As is usual for Apple, both the researcher that found the vulnerability and the circumstances under which the vulnerability used in the wild are kept secret. Apple didn't respond to a query about whether the previously found bug was being exploited by NSO Group's Pegasus surveillance software.
Over the last months Apple has had to close quite a few zero-days in iOS, iPadOS,and macOS. Seventeen if I have counted correctly.
And last but not least, the latest addition—CVE-2021-30883—which means that of the 17 zero-days that were fixed over the course of a handful of months, at least 16 were found to be actively exploited.
Apple advises users to update to iOS 15.0.2 and iPadOS 15.0.2 which can be done through the automatic update function or iTunes.
Stay safe, everyone!
The post Update now! Apple patches another privilege escalation bug in iOS and iPadOS appeared first on Malwarebytes Labs.