Apple patches its 17th zero-day vulnerability of this year

In a security alert, Apple announced the release of iOS 15.0.2 and iPadOS 15.0.2 versions, which contain a patch to address a recently actively exploited zero-day flaw. Tracked as CVE-2021-30883, the vulnerability is described as a memory corruption error in IOMobileFrameBuffer feature, whose exploitation allows the execution of commands with kernel privileges.

Because kernel-level privileges allow threat actors to execute commands on the target device, the vulnerability would allow malicious hackers to inject malware and steal sensitive data.

Although the report does not mention technical details about the active exploitation of this flaw, it does mention that the attacks have already been confirmed: “We are aware that this flaw has been actively exploited,” the Apple message adds.

The disclosure of limited information about zero-day flaws is a standard measure in the technology industry, as it allows users to be aware of available updates while avoiding sharing details of the exploitation with potential threat actors, although the disclosure of these technical details cannot always be avoided.

In this case, cybersecurity specialist Saar Amar published a detailed white paper on the vulnerability, in addition to a proof-of-concept (PoC) exploit obtained by reverse-engineering the patch issued by Apple.

About the devices vulnerable to this attack, the list includes equipment from the iPhone 6s and iPad Air 2 model to the latest versions compatible with the updated iterations. At the moment there are no known workarounds to this vulnerability, so users of Apple devices are recommended to apply the updates as soon as possible.

This has been a tumultuous year for Apple in terms of cybersecurity, as the company has had to address multiple zero-day vulnerabilities in iOS and macOS. Among the most outstanding failures are:

  • Two flaws exploited in the wild to install the dangerous Pegasus spyware
  • FORCEDENTRY, a zero-day exploit for iOS found in August
  • CVE-2021-30713, a critical vulnerability to inject XCSSET malware into Apple devices
  • CVE-2021-30761 and CVE-2021-30762, two actively exploited zero-day vulnerabilities in iPhone, iPad and some iPod models

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.