Apple Releases Pressing 0-Day Bug Patch for Mac, iPhone and iPad Gadgets


Apple on Monday rolled out an pressing safety replace for iOS, iPadOS, and macOS to deal with a zero-day flaw that it mentioned might have been actively exploited, making it the thirteenth such vulnerability Apple has patched for the reason that begin of this yr.

The updates, which arrive lower than per week after the corporate launched iOS 14.7, iPadOS 14.7, and macOS Huge Sur 11.5 to the general public, fixes a reminiscence corruption challenge (CVE-2021-30807) within the IOMobileFrameBuffer element, a kernel extension for managing the display screen framebuffer, that may very well be abused to execute arbitrary code with kernel privileges.

The corporate mentioned it addressed the problem with improved reminiscence dealing with, noting it is “conscious of a report that this challenge might have been actively exploited.” As is often the case, further particulars concerning the flaw haven’t been disclosed to forestall the weaponization of the vulnerability for added assaults. Apple credited an nameless researcher for locating and reporting the vulnerability.

Stack Overflow Teams

The timing of the replace additionally raises questions on whether or not the zero-day had been exploited by NSO Group’s Pegasus software, which has turn into the main focus of a sequence of investigative reports which have uncovered how the spy ware software turned cell phones of journalists, human rights activists, and others into transportable surveillance gadgets, granting full entry to delicate info saved in them.

CVE-2021-30807 can also be the thirteenth zero-day vulnerability addressed by Apple this yr alone, together with —

  • CVE-2021-1782 (Kernel) – A malicious utility might be able to elevate privileges
  • CVE-2021-1870 (WebKit) – A distant attacker might be able to trigger arbitrary code execution
  • CVE-2021-1871 (WebKit) – A distant attacker might be able to trigger arbitrary code execution
  • CVE-2021-1879 (WebKit) – Processing maliciously crafted internet content material might result in common cross-site scripting
  • CVE-2021-30657 (System Preferences) – A malicious utility might bypass Gatekeeper checks
  • CVE-2021-30661 (WebKit Storage) – Processing maliciously crafted internet content material might result in arbitrary code execution
  • CVE-2021-30663 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution
  • CVE-2021-30665 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution
  • CVE-2021-30666 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution
  • CVE-2021-30713 (TCC framework) – A malicious utility might be able to bypass Privateness preferences
  • CVE-2021-30761 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution
  • CVE-2021-30762 (WebKit) – Processing maliciously crafted internet content material might result in arbitrary code execution

Given the public availability of a proof-of-concept (PoC) exploit, it is extremely advisable that customers transfer rapidly to replace their gadgets to the newest model to mitigate the danger related to the flaw.





Source link