Apple has released a patch to fix a zero-day vulnerability in iOS 15 and iPadOS 15 that is being actively exploited in the wild. The vulnerability, tracked as CVE-2021-30883, is a critical memory corruption flaw that is present in the IOMobileFrameBuffer kernel extension which manages the screen frame buffer. The flaw was reported to Apple by an anonymous researcher.
Apple has not released details of the nature of the exploitation attempt, but said in its security update that, “an application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.” If an attacker were to gain kernel privileges it would be possible to execute any command on a device, which could allow the installation of malware or the theft of sensitive data.
The vulnerability affects a wide range of Apple devices, including iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). The vulnerability has been fixed in iOS 15.0.2 and iPadOS 15.0.2. Users have been advised to apply the security update as soon as possible.
Details of the exact nature of the vulnerability have not been released; however, shortly after the new iOS version was released, security researcher Saar Amar reverse engineered the patch, confirmed the severity of the flaw, and developed a proof-of-concept exploit.
The zero-day vulnerability is one of several zero-day flaws that have been patched by Apple this year. Last month, Apple released iOS 15 which included patches for 22 bugs, some of which could be used in remote denial-of-service, authentication bypass, and code execution attacks on iPhones and iPads. The new version of the operating system is more security focused and includes a built-in two-factor authentication code generator and anti-tracking security and privacy features.
Just a few days before the iOS 15 release, Apple issued an emergency update to fix two actively exploited zero days in the operating system that were being exploited to install Pegasus spyware. The latest bug is the 16th actively exploited zero-day vulnerability affecting Apple products to be documented this year.