Apple has released security updates to address zero-day vulnerability exploited in the wild, impacting iPhones, iPads, and Macs. The vulnerability, tracked as CVE-2021-30807, is a memory corruption issue in the IOMobileFramebuffer kernel extension reported by an anonymous researcher, Bleeping Computer reports.
Apple says it is aware of a report that this issue may have been actively exploited. Apple has fixed the bug, allowing applications to execute arbitrary code with kernel privileges by improving memory handling in iOS 14.7.1, iPadOS 14.7.1, and macOS Big Sur 11.5.1.
The list of impacted devices includes Macs, iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation), Bleeping Computer says.
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company, explains, “Vulnerabilities are inevitable in any software, which is why they’re constantly being discovered in mobile operating systems and apps. While having a flawless software release every time would be ideal, it’s close to impossible. Even though Apple has been in the news a number of times over these zero-day vulnerabilities, software developers everywhere run into vulnerabilities in their code. However, this is not to downplay the importance of updating your device as soon as a new OS version is available.”
Schless adds, “Apple does a great job of quickly releasing patches to ensure you’re protected from any potential exploits. However, people often ignore them until they’re forced to update. This could be risky to an enterprise that allows its employees to access corporate resources from their mobile devices. These days, that’s just about every enterprise out there. If an employee leaves this type of vulnerability unpatched, it could give an attacker backstage access to valuable data. Enterprises need a way to enforce OS update policies that protect their company and customer data from exploitable zero-day attacks.”