Apple abruptly released security updates for iPhone, iPad, and Mac yesterday (July 26). You need to update to iOS 14.7.1, iPad OS 14.7.1, and macOS Big Sur 11.5.1 as soon as possible.
The flaw is in IOMobileFrameBuffer, which controls how the application manager manages the device's display. According to Apple, this vulnerability allows "applications to... . execute arbitrary code with kernel privileges," according to the company. This means that an app already present on a Mac, iPhone, or iPad (e.g., Trojan malware pretending to be a benign app) could use this flaw to take control of the entire device.
In its characteristically terse language, Apple's security advisory notes that the company is "aware of reports that this issue may have been actively exploited." In other words, it is a software flaw that was exploited before the software maker knew about the flaw and gave Apple a zero-day warning. The vulnerability has been assigned a catalog number of CVE-2021-30807.
Apple states that the flaw was discovered by an "anonymous researcher," but does not say whether it is related to the recent high-profile Pegasus mobile spyware.
However, Apple was clearly spooked by the flaw and released an emergency update without any other significant fixes. Apple just released more extensive updates to various operating systems last week.
Shortly after Apple released the security advisory, a Twitter user called "binaryboy" posted what he claimed was an exploit of the flaw.
Another security researcher, who uses his real name on Twitter, said he had found the flaw months ago but had not yet submitted it to Apple. He quickly wrote up a fairly technical blog post explaining his findings.
The update is available for all Macs capable of running Big Sur, plus, in Apple's words, "iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, iPod touch (7th generation). Available on.
Comments