Apple unexpectedly released security updates yesterday (July 26) for iPhones, iPads and Macs to fix a single zero-day flaw that's apparently already being used to attack devices. You'll need to update ASAP to iOS 14.7.1, iPad OS 14.7.1 and macOS Big Sur 11.5.1.
The flaw is in the IOMobileFrameBuffer, which controls how an application manager manages a device's display. Apple says the vulnerability makes it possible for "an application... to execute arbitrary code with kernel privileges." That means an app already present on a Mac, iPhone or iPad — for example, Trojan malware pretending to be a benign app — could leverage the flaw to seize control of the entire device.
- Macs under attack from Windows malware — what you need to do
- The best Mac antivirus software
- Plus: New larger high-end iMac tipped to arrive next year
In its characteristically terse way, Apple's security advisories noted that the company "is aware of a report that this issue may have been actively exploited." I.e., it's a software flaw that was exploited before the software maker learned of the flaw, giving Apple zero days' warning. The vulnerability has been assigned the catalogue number CVE-2021-30807.
Apple credits "an anonymous researcher" with discovering the flaw, but hasn't said whether it's related to the Pegasus mobile spyware that's been in the news lately.
Yet Apple is clearly spooked enough by the flaw to push out an emergency update without much else to accompany it — the only other fix with any of these three updates was to an Apple Watch pairing issue. Apple released much larger updates to its various operating systems just last week.
Soon after Apple posted its security advisories, a Twitter user called "binaryboy" posted what purports to be a working exploit of the flaw.
CVE-2021-30807 POC:int main(){io_service_t s = IOServiceGetMatchingService(0, IOServiceMatching("AppleCLCD"));io_connect_t c;IOServiceOpen(s,mach_task_self(),0,&c);uint64_t a[1] = {0xFFFFFFFF};uint64_t b[1] = {0};uint32_t o = 1;IOConnectCallScalarMethod(c,83,a,1,b,&o);}July 26, 2021
And a security researcher who uses his real name on Twitter said he'd found the flaw a few months ago, but had not yet submitted it to Apple. He quickly wrote up a rather technical blog post explaining his discoveries.
So, as it turns out, an LPE vulnerability I found 4 months ago in IOMFB is now patched in iOS 14.7.1 as in-the-wild. I wanted to share some knowledge and details about the bug and some ways to exploit it. Hope you'll find it useful, check it out! https://t.co/fxLTJZgc3BJuly 26, 2021
The updates are available for all Macs capable of running Big Sur, plus, in Apple's words, "iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)."
- More: The best Mac antivirus software out right now
