Apple releases fix for iOS and macOS zero-day, 13th this year
Apple has released patches today for iOS, iPadOS, and macOS to address a zero-day vulnerability that the company says has been exploited in the wild.
Tracked as CVE-2021-30807, Apple said the zero-day impacts IOMobileFramebuffer, a kernel extension that allows developers to control how a device's memory handles the screen display—the screen framebuffer, to be more exact.
According to Apple, an application may exploit CVE-2021-30807 to execute arbitrary code with kernel privileges on a vulnerable and unpatched device.
Gaining access to kernel privileges effectively gives attackers full control over a device, may it be an iPhone, iPad, or macOS notebook or desktop.
In security advisories for iOS/iPadOS and macOS today, Apple said it was aware of a report that this vulnerability might have been exploited in the wild, but the company did not elaborate.
An Apple spokesperson did not return a request for comment seeking additional details.
Shortly after this article went live, a security researcher published proof-of-concept code for the CVE-2021-30807 vulnerability on their Twitter timeline. A second security researcher, who claims to have found the same bug independently, also published a detailed write-up of the issue, which he said he was preparing to report to Apple before he was surprised to find out today that the OS maker had already patched.
CVE-2021-30807 POC:
— binaryboy (@b1n4r1b01) July 26, 2021
int main(){
io_service_t s = IOServiceGetMatchingService(0, IOServiceMatching("AppleCLCD"));
io_connect_t c;
IOServiceOpen(s,mach_task_self(),0,&c);
uint64_t a[1] = {0xFFFFFFFF};
uint64_t b[1] = {0};
uint32_t o = 1;
IOConnectCallScalarMethod(c,83,a,1,b,&o);
}
Apple encourages users to update to macOS Big Sur 11.5.1, iOS 14.7.1, and iPadOS 14.7.1, versions it released today to address the CVE-2021-30807 vulnerability.
The updates are available for macOS notebooks and desktops, iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
While there is a pretty solid chance that this "zero-day" might be an new exploit used by the iOS jailbreaking community to root iPhones, it is also unclear if today's zero-day is in any way related to NSO Group, an Israeli company that sells iPhone hacking tools to governments around the world, and who was recently at the center of a large number of investigative reports that have exposed some of its past hacking.
Today's patches mark the 13th zero-day Apple has patched this year. Previous zero-days included:
| CVE | Patch date | Description |
|---|---|---|
| CVE-2021-1782 | February 1 | A zero-day impacting the macOS, iOS, iPadOS, watchOS, and tvOS kernels. |
| CVE-2021-1870 | February 1 | WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS |
| CVE-2021-1871 | February 1 | WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS |
| CVE-2021-1879 | March 26 | WebKit bug impacting both old and new-gen iOS, iPadOS, and watchOS |
| CVE-2021-30657 | April 26 | macOS Gatekeeper bypass abused by Shlayer malware |
| CVE-2021-30661 | April 26 | WebKit zero-day impacting old and new-gen iOS, iPadOS, watchOS, and tvOS. |
| CVE-2021-30663 | May 3 | WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS |
| CVE-2021-30665 | May 3 | WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS |
| CVE-2021-30666 | May 3 | WebKit zero-day impacting macOS, iOS, iPadOS, and watchOS |
| CVE-2021-30713 | May 24 | macOS TCC bypass abused by XCSSET malware |
| CVE-2021-30761 | June 14 | WebKit zero-day impacting old-gen iOS devices |
| CVE-2021-30762 | June 14 | WebKit zero-day impacting old-gen iOS devices |
Article updated to add tweet containing PoC exploit.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.