Apple patched a zero-day vulnerability in iOS 15.0.2 on Monday that enabled remote code execution with kernel privileges.
The iOS vulnerability, CVE-2021-30883, impacts kernel extension IOMobileFrameBuffer. Apple described the flaw in its security advisory as a memory corruption issue and said it “may have been actively exploited.”
Apple said in the advisory that the newly patched bug impacts “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).” The post said that the company has received “a report” of exploitation but did not elaborate further.
SearchSecurity asked Apple how widespread the exploitation was, but a spokesperson declined to comment.
Mobile security vendor ZecOps tweeted Tuesday that because the latest iOS vulnerability can be exploited from a browser, it is “perfect” for watering hole attacks.
Saar Amar, a researcher with the Microsoft Security Response Center (MSRC), published a technical blog about the vulnerability on GitHub that provided an overview of the bug and, broadly speaking, how it can be exploited. In the post, he called the vulnerability “great for jailbreaks” due to its accessibility via App Sandbox and showcased a proof of concept.
The origin of the zero-day is not known, and Apple credited the find to an “anonymous researcher.”
CVE-2021-30883 marks the latest flaw in a string of Apple zero-day vulnerabilities this year. More than a dozen such flaws have been exploited in the wild in 2021, several of which have impacted Apple’s WebKit browser engine.
In other vulnerability news, Apple has come under fire in recent weeks for its bug bounty program, which researchers have criticized for communication issues and, in some cases, an alleged lack of acknowledgement. From this frustration, one researcher publicly released three apparent zero-days last month.
Alexander Culafi is a writer, journalist and podcaster based in Boston.