Apple has released a security update iOS 15.0.2 and iPad OS 15.0.2 to fix a zero-day vulnerability that is actively exploited in attacks targeting iPhones and iPads.
The vulnerability, tracked as CVE-2021-30883, allows an application to execute commands on vulnerable devices with kernel privileges. This vulnerability is a critical, memory corruption bug in the IOMobileFrameBuffer.
📣 EMERGENCY UPDATE 📣
Today, Apple pushed updates for one new zero-day (CVE-2021-30883) in IOMobileFrameBuffer that was already used to attack users.
— Apple Security Updates (@ApplSec) October 11, 2021
As kernel privileges allow the application to execute arbitrary code on the device, threat actors could potentially use it to steal data or install further malware.
IOMobileFramebuffer is a kernel extension for managing the screen framebuffer. It is controlled by the user-land framework IOMobileFramework.
Per the release, the update is for the following list of devices:
- iPhone 6s and later
- iPad Pro (all models)
- iPad Air 2 and later
- iPad 5th generation and later
- iPad mini 4 and later
- iPod touch (7th generation)
The vulnerability affects an unknown code block of the component IOMobileFrameBuffer. An unknown input or code can be manipulated, which leads to a memory corruption vulnerability. This is going to have an impact on confidentiality, integrity, and availability. The vulnerability database documenting community VulDB has pegged the pricing for this exploit at around USD $10k-$25k and expects to see the exploit prices for this product increasing soon.
According to the Apple release, upgrading to version 15.0.2 eliminates this vulnerability.
Stream of Vulnerabilities
Apple has been regularly releasing security updates for attacks against iPhones, iPads, and macOS devices to safeguard its customers from further exploitation. With the constant increase in incidents of data breaches and zero-day exploits, customers are encouraged to review security releases and apply the updates/patches at the earliest.
Also read: Apple Releases Security Updates for Two Zero-Day Vulnerabilities