Facial palm: Apple’s iOS 15 (and iPadOS 15 by nature) was an extremely buggy version. In addition to several flaws that crippled the iPhone 13, the operating system had at least two actively exploited zero-day vulnerabilities that Apple engineers had to fix quickly.
Apple on Monday released an urgent security patch for a zero-day flaw in iOS 15 and iPadOS 15 that hackers are actively exploiting. The patch arrived on the same day that iOS 15.0.1 was released.
The bug (CVE-2021-30883) causes a memory corruption error in IOMobileFrameBuffer, a kernel function that allows developers to allocate how their applications use system memory to control display.
“An application may be able to execute arbitrary code with kernel privileges,” read Apple’s release notes. “Apple is aware of a report that this issue may have been actively exploited.”
The patch notes do not go into the details of the bug. However, shortly after Apple released iOS and iPadOS 15.0.2, security researcher Saar Amar posted a blog post explaining the exploit and created a proof of concept (POC) to show that it works. “100% of the time”. Amar said the flaw is “ideal for jailbreaks” because it is accessible from the app’s sandbox.
After examining BinDiff (a tool that shows differences in disassembled binaries), Amar concluded that the flaw was not only good for granting kernel privileges, but could also be used for LPE (local privilege escalation) exploits. .
He tested his very simple POC (one code page) on iOS versions 14.7.1 (physical iPhone X) and 15.0 (virtual iPhone 11 Pro), but said the bug was probably much older than that. He executed the code five times on each device and the POC triggered a panic each time. Amar’s code caused integer overflows in areas other than IOMobileFrameBuffer, but the patch seems to have fixed them as well.
“An important and interesting note is that other implementations of these functions in other classes have also had this integer overflow,” Amar wrote. “As far as I know, the patch fixed them as well.”
Jailbreak potential aside, this security flaw is similar to the nasty one (CVE-2021-30807) that Apple fixed in July. Malicious attackers could use the bug to completely hijack the device (and apparently they do). So it’s best to install the patch as soon as possible.
- Apple silently fixes iOS day zero, asks bug reporter to shut up
- US government warns organizations to fix massively exploited Confluence bug
- Apple rolls out iOS 15.1 update to fix Apple Watch iPhone 13 unlock bug
- Apple fixes new zero-day bug used to hack iPhones and Macs
- Actively exploited 0-day Apache also allows remote code execution