If you’re using an iPhone, install the iOS 15.0.2 update immediately: Apple has warned that the latest OS upgrade patches an “actively exploited” zero-day.
Described as a “memory corruption issue” by Apple, the vuln is present within the IOMobileFrameBuffer kernel extension, used for managing display memory. Malicious applications are said to be capable of triggering an integer overflow in the framebuffer, permitting execution of arbitrary code with kernel privileges.
The bug, publicly tracked as CVE-2021-30883, has not yet been published in full although technical descriptions and proofs of concept are already circulating on security-focused areas of the web.
While Apple stuck to its customarily terse and detail-free description of the vuln on its patch notes page, the world has been heavily focused on an iPhone-specific malware strain – Pegasus, one of Israeli malware vendor NSO Group’s flagship products. Pegasus is the tip of the iceberg, as NCSC chief exec Lindy Cameron mentioned yesterday in a major speech.
Reverse engineer and exploit mitigator Saar Amar published a technical analysis and proof-of-concept exploit shortly after Apple pushed the update, noting that the exploitable function “is accessible directly from the app sandbox” by iOS apps, with no special user-account privileges required.
Precise details of how Pegasus infects iPhones isn’t available in public, though it is understood that the malware was previously known to be capable of spreading without user interaction – “no-click install” is the phrase preferred by NSO. Previous methods that may have been used include an exploit of a now-patched WhatsApp zero day that allowed attackers to infect a mark by making booby-trapped WhatsApp calls to the victim’s iPhone or Android handset – calls they didn’t even have to answer.
Pegasus malware is sold to nation states for surveillance purposes and can harvest user data and log information from a host of commonly used apps. It has been widely used to spy on human rights activists whose activities might embarrass rulers of authoritarian countries.
Jake Moore, a cybersecurity specialist with antivirus firm ESET, commented: “Kernel-level access is about the most severe vulnerability you can get which means this is no ordinary patch and must be attended to as soon as possible. Criminal hackers will continue to attack any given weakness which is why automating security updates remains the safest way of keeping devices up to date.”
The flaw is quite similar to one patched in July, which also existed in IOMobileFrameBuffer and which Amar also said he had come across, though formal attribution was to an anonymous researcher. ®