Apple fixes zero-day affecting iPhones and Macs, exploited in the wild

Apple has released security updates to address a zero-day vulnerability exploited in the wild and impacting iPhones, iPads, and Macs.

The vulnerability, tracked as CVE-2021-30807, is a memory corruption issue in the IOMobileFramebuffer kernel extension reported by an anonymous researcher.

Apple has fixed the bug, allowing applications to execute arbitrary code with kernel privileges, by improving memory handling in iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1.

The list of impacted devices includes Macs, iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).

“Apple is aware of a report that this issue may have been actively exploited,” the company said in security advisories published earlier today.

While Apple did disclose that at least one report mentioned CVE-2021-30807 active exploitation in the wild, the company did not release any additional information regarding these attacks.

Withholding this info is likely a measure designed to allow the security updates released today to reach as many iPhones, iPads, and Macs as possible before other threat actors pick up on the details and start actively abusing the now-patched zero-day.

Long list of zero-days patched this year

Since the start of 2021, Apple has released security updates to address what looks like an endless wave of zero-day vulnerabilities, many of them tagged by the company as exploited in the wild:

• three iOS zero-days (CVE-2021-1870, CVE-2021-1871, CVE-2021-1872) in February, exploited in the wild and reported by anonymous researchers
• an iOS zero-day (CVE-2021-1879) in March that may have also been actively exploited
• one zero-day in iOS (CVE-2021-30661) and one in macOS (CVE-2021-30657) in April, exploited by Shlayer malware.
• three other iOS zero-days (CVE-2021-30663, CVE-2021-30665, and CVE-2021-30666) in May, bugs allowing for arbitrary remote code execution (RCE) on vulnerable devices simply by visiting malicious websites.
• a macOS zero-day (CVE-2021-30713) in May, a vulnerability abused by the XCSSET malware to bypass Apple’s TCC protections designed to safeguard users’ privacy.
• two iOS zero-day bugs (CVE-2021-30761 and CVE-2021-30762) in June that “may have been actively exploited” to hack into older iPhone, iPad, and iPod devices.

Last month, Amnesty International and Forbidden Stories also revealed that they found spyware made by Israeli surveillance vendor NSO Group deployed on iPhones running the latest iOS release, likely hacked using zero-day zero-click iMessage exploits.

Project Zero also recently revealed that a group of hackers used 11 zero-days in attacks targeting Windows, iOS, and Android users within a single year.