Apple released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability that is actively exploited in the wild in attacks targeting phones and iPads.
This vulnerability, identified as CVE-2021-30883, is a critical memory corruption bug that allows an application to execute commands on vulnerable devices with kernel privileges.
As kernel privileges allow the app to execute any command on the device, malicious actors could potentially use it to steal data or install other malware.
Although Apple did not provide any details on how this vulnerability was used in the attacks, they state that there are reports that it is actively used in the attacks.
“Apple is aware of a report that this issue may have been actively exploited,” the company said in a security advisory released earlier today.
Apple is deliberately keeping the vulnerability reports vague to ensure that the update is applied to as many devices as possible before other threat actors can learn the details or reverse engineer the fix to create their own exploits.
The list of affected devices is quite long, affecting older and newer models including iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).
Although the vulnerability may be used in targeted attacks and not be widely used, you are strongly advised to install the update as soon as possible due to its severity.
Zero days gone wild
In addition to today’s zero day, Apple fixed what looks like an endless stream of zero day vulnerabilities used in attacks on iPhone, iPad, and macOS devices:
- two days zero earlier this month, one of them also used to install Pegasus spyware on iPhones,
- the FORCEDENTRY exploit disclosed in August (previously tracked by Amnesty Tech as Megalodon),
- three iOS zero-days (CVE-2021-1870, CVE-2021-1871, CVE-2021-1872) in February, exploited in the wild and reported by anonymous researchers,
- an iOS zero-day (CVE-2021-1879) in March which may also have been actively exploited,
- a zero-day under iOS (CVE-2021-30661) and one under macOS (CVE-2021-30657) in April, exploited by the Shlayer malware,
- three more iOS zero-days (CVE-2021-30663, CVE-2021-30665 and CVE-2021-30666) in May, bugs allowing arbitrary remote code execution (RCE) simply by visiting malicious websites,
- a macOS zero-day (CVE-2021-30713) in May, which was abused by XCSSET malware to bypass Apple’s TCC privacy protection,
- two zero-day iOS bugs (CVE-2021-30761 and CVE-2021-30762) in June that “may have been actively exploited” to hack older iPhone, iPad and iPod devices.
Last month, a researcher publicly disclosed the exploits of three zero-day vulnerabilities after Apple delayed patching and failed to credit the person who reported them.
- Apple fixes iOS zero day used to deploy iPhone NSO spyware
- Apple Fixes Another Zero Day Used To Deploy NSO iPhone Spyware
- Apple fixes new zero-day bug used to hack iPhones and Macs
- Google Chrome emergency update fixes zero day exploited in the wild
- Apple silently fixes iOS day zero, asks bug reporter to shut up