Lucene search

K
thn
The Hacker NewsTHN:080F85D43290560CDED8F282EE277B00
HistoryJul 27, 2021 - 7:28 a.m.

Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices

2021-07-2707:28:00
The Hacker News
thehackernews.com
247

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Apple on Monday rolled out an urgent security update for iOS, iPadOS, and macOS to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year.

The updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue (CVE-2021-30807) in the IOMobileFrameBuffer component, a kernel extension for managing the screen framebuffer, that could be abused to execute arbitrary code with kernel privileges.

The company said it addressed the issue with improved memory handling, noting it’s “aware of a report that this issue may have been actively exploited.” As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting the vulnerability.

The timing of the update also raises questions about whether the zero-day had any role in compromising iPhones using NSO Group’s Pegasus software, which has become the focus of a series of investigative reports that have exposed how the spyware tool turned mobile phones of journalists, human rights activists, and others into portable surveillance devices, granting complete access to sensitive information stored in them.

CVE-2021-30807 is also the thirteenth zero-day vulnerability addressed by Apple this year alone, including —

  • CVE-2021-1782 (Kernel) - A malicious application may be able to elevate privileges
  • CVE-2021-1870 (WebKit) - A remote attacker may be able to cause arbitrary code execution
  • CVE-2021-1871 (WebKit) - A remote attacker may be able to cause arbitrary code execution
  • CVE-2021-1879 (WebKit) - Processing maliciously crafted web content may lead to universal cross-site scripting
  • CVE-2021-30657 (System Preferences) - A malicious application may bypass Gatekeeper checks
  • CVE-2021-30661 (WebKit Storage) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30663 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30665 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30666 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30713 (TCC framework) - A malicious application may be able to bypass Privacy preferences
  • CVE-2021-30761 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution
  • CVE-2021-30762 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution

Given the public availability of a proof-of-concept (PoC) exploit, it’s highly recommended that users move quickly to update their devices to the latest version to mitigate the risk associated with the flaw.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Be first who know about 0-days in popular software

Do not waste time on finding information in tons of articles. Subscribe yourself and your colleagues on news and articles about products you need and you use!

Subscribe on news

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

Related for THN:080F85D43290560CDED8F282EE277B00