Apple patches iOS vulnerability actively exploited in the wild

Apple patched a zero-day vulnerability in iOS 15.0.2 on Monday that enabled remote code execution with kernel privileges.

The iOS vulnerability, CVE-2021-30883, impacts kernel extension IOMobileFrameBuffer. Apple described the flaw in its security advisory as a memory corruption issue and said it “may have been actively exploited.”

Apple said in the advisory that the newly patched bug impacts “iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).” The post said that the company has received “a report” of exploitation but did not elaborate further.

SearchSecurity asked Apple how widespread the exploitation was, but a spokesperson declined to comment.

Mobile security vendor ZecOps tweeted Tuesday that because the latest iOS vulnerability can be exploited from a browser, it is “perfect” for watering hole attacks.

Saar Amar, a researcher with the Microsoft Security Response Center (MSRC), published a technical blog about the vulnerability on GitHub that provided an overview of the bug and, broadly speaking, how it can be exploited. In the post, he called the vulnerability “great for jailbreaks” due to its accessibility via App Sandbox and showcased a proof of concept.

The origin of the zero-day is not known, and Apple credited the find to an “anonymous researcher.”

CVE-2021-30883 marks the latest flaw in a string of Apple zero-day vulnerabilities this year. More than a dozen such flaws have been exploited in the wild in 2021, several of which have impacted Apple’s WebKit browser engine.

In other vulnerability news, Apple has come under fire in recent weeks for its bug bounty program, which researchers have criticized for communication issues and, in some cases, an alleged lack of acknowledgement. From this frustration, one researcher publicly released three apparent zero-days last month.

Alexander Culafi is a writer, journalist and podcaster based in Boston.


Apple patches operating systems due to ‘no click’ spyware exploit

In mid-September, Apple was forced to issue an emergency security update for its iPhone, iPad, Mac, and Watch operating systems after being alerted to a “no click” exploit allegedly tied to the Pegasus surveillance software distributed by the Israeli company NSO Group.

The Citizen Lab, a Canadian human rights and security advocacy group, alerted Apple to the exploit, dubbed FORCEDENTRY. The exploit targeted Apple’s image rendering library, which was found on the phone of a Saudi activist that Citizen Lab examined back in March. The exploit uses “maliciously crafted” PDF files that could lead to “arbitrary code execution,” Apple said in a security bulletin .

The “no click” designation by Citizen Lab means Apple users don’t need to open the PDF sent to them for the spyware to infect their devices. Instead, Pegasus gives attackers “virtually unfettered access to the victim’s device, where it can monitor messages, listen in on calls, activate the camera, and more,” said Daniel Markuson, a digital privacy expert at NordVPN .

The Citizen Lab spearheaded recent reporting on the NSO Group’s surveillance software, with news stories in July saying the company’s military-grade Pegasus product had been used to spy on business executives, journalists, human rights advocates, and government officials. NSO Group has disputed the reporting, saying it sells the software to governments to fight crime and terrorism.

But with some NSO customers using the software to spy on other people, several security experts urged Apple users to update their devices immediately.

“These new accusations bring a heightened sense of concern among privacy activists that no smartphone user, even those using software like WhatsApp or Signal, is safe from their privacy being infringed upon,” Markuson told the Washington Examiner. “Cyber-tech surveillance can be a real threat from both individuals and institutions, and this situation with NSO Group is only bringing this long-lasting issue into the limelight.”

Pegasus illustrates the importance of comprehensive mobile security efforts at an organization, added Hank Schless, senior…


Apple patches security flaw that leaves users vulnerable to spyware

NSO’s Pegasus was in July linked to phones belonging to dozens of journalists, human rights activists and politicians, according to an investigation by a consortium of newspapers. Civil rights activists say the software – which requires an Israeli government licence for export because it is viewed as a weapon – can be used for unlawful surveillance, not just by certain governments to target terrorists and criminals.

In a statement, the company said: “NSO Group will continue to provide intelligence and law enforcement agencies around the world with life-saving technologies to fight terror and crime.”

Chat apps a weak link

Citizen Lab said its discovery of another previously unknown vulnerability on Apple hardware “illustrates that companies … are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies. Regulation of this growing, highly profitable, and harmful marketplace is desperately needed.”

Apple said it was issuing the patch because “processing a maliciously crafted PDF may lead to arbitrary code execution”. It said it was “aware of a report that this issue may have been actively exploited”.

Separately, Ivan Krstic, head of security engineering and architecture at Apple, said in a statement that “attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals”, adding that they were “not a threat to the overwhelming majority of our users”.

Nevertheless, the revelation could further dent the image of iOS as a more secure operating system than Android. Apple has long emphasised that no system can be 100 per cent secure from hackers.

Citizen Lab said chat apps in particular had become “a major target for the most sophisticated threat actors, including nation-state espionage operations and the mercenary spyware companies that service them”.

Financial Times


Samsung Galaxy A8 (2018) gets monthly security patches

Mid-range devices don’t expect to get as many updates and security patches as the flagship devices so when they do get something, it’s a good surprise. Owners of the Galaxy A8 (2018) got a “gift” as they have received the September security patch just weeks after getting the June and August updates as well. While there doesn’t seem to be any new features that come with this update, having security patches on a more regular basis is already a pretty good treat to have.

The upper mid-range Galaxy A8 (2018) enterprise edition is only supposed to get a quarterly security update while the non-enterprise model usually gets it every six months. We don’t know if that schedule has now changed for good as they are receiving the security update for the month of September, as per SAM Mobile. This is just weeks after they have already received the June and August update, skipping the July one apparently.

It’s also possible that the September security patch may be addressing some critical issues that it couldn’t wait until the next scheduled update. What we do know is that firmware version A530FXXSLCUH5 has started rolling out in South America, Colombia in particular. This should also expand to other markets in the next few weeks. There are no new features and enhancements with this update, just the security patch.

Samsung devices are guaranteed up to three years of OS updates and four years of security updates so the Galaxy A8 (2018) is nearing its update end date. The European Union has been fighting to get OEMs to extend these to five years as part of their right to repair act. The German federal government is also thinking to extend that to seven years. This might force companies like Samsung to extend everything eventually, not just in those territories.

For now, if you have the Galaxy AA8 (2018) with model number SM-A530F, enjoy the new September security patch update. You can check if it’s already available by going to your Settings and Software update section.