After delivering iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public a week ago, the company issued software updates to fix a memory corruption vulnerability (CVE-2021-30807) in the IOMobileFrameBuffer component which is a kernel extension, which could be exploited by malicious actors to run arbitrary code with kernel privileges.
The upgrade to iOS, iPadOS, and macOS, which Apple released on Monday, includes a new security update designed to address a zero-day vulnerability which it claimed may have been actively exploited, making it the thirteenth such critical flaw that Apple has fixed in 2021.
Apple’s spokesperson said that they resolved the issue by implementing better memory management. The company also claimed they have identified reports that this problem may have been actively exploited. A standard practice is to not provide further information about the issue to keep the weaponization of the vulnerability out of the hands of people with malicious intentions for any future attacks. The researcher who discovered and reported the issue to Apple is anonymous.
Questions about whether the zero-day had been exploited are also raised in light of the fact that NSO Group’s Pegasus software has drawn increased attention in the media after a number of investigative reports revealed that the spyware tool allowed to turn mobile phones of activists and journalists into portable surveillance devices that granted total access to sensitive information stored on the phones.
Since the beginning of 2020, Apple has fixed twelve other zero-day vulnerabilities, with CVE-2021-30807 being the thirteenth in line.
Considering that a proof-of-concept (PoC) exploit already has been published, Mac, iPhone and iPad users should upgrade their devices as soon as possible to ensure that they aren’t vulnerable to any possible attacks aimed at this specific flaw.