Apple rolled out a critical security patch for iOS, iPadOS, and macOS devices on 26th July 2021 to fix the zero-day vulnerability issue that has been already actively being used for exploitation and can allow attackers to take over control of the affected devices.
This flaw is patched in iOS 14.7.1, iPadOS 14.7.1, and macOS 11.5.1 which was released last week, having the vulnerability of memory corruption bug, registered in CVE database as CVE-2021-30807.
Bug issue found in the IOMobileFrameBuffer module, a kernel extension for handling the screen frame buffer, that can exploit the application to execute arbitrary code with kernel privileges.
Official Statement of Apple on Security Patch Update:
The Apple organization released the document describing the security flaws, and their impact on their devices, also the patch available for which devices.
As per Apple security updates page, “An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.”
Including this, Apple has patched thirteen such security vulnerabilities since the beginning of the year.
Speculation on releasing the security patch on Apple devices:
There is speculation and questions that have been raised about the security patch is due to the zero-day vulnerability attack role in affected Apple devices using Pegasus spyware, a surveillance software of Israel cyberarms company, NSO Group, but this is not confirmed by the Apple company yet.
Read more about | What is Pegasus Spyware, its discovery, evolution, how it infects the phone, and what it can do in detail – Pegasus – A Sophisticated Spyware Tool.
What is Zero-day Vulnerability?
It is a software security vulnerability that is found in the devices but doesn’t have a patch or is yet to be released to fix the bug. The defect is known by the software vendor and should be focused on its mitigation.
Until then, the cyber attackers can utilize the security loophole to exploit and alter the programs, access data, steal credentials, etc.
Zero-day Vulnerability in Apple Devices on Pegasus Project Report:
This security patch update in Apple devices comes days after investigative reports emerged that the government agencies of different countries are utilizing Pegasus Spyware and unknowingly installing in the iOS and Android devices of politicians, journalists, and human activists.
Once the Pegasus spyware is installed, it can run arbitrary code, collect or steal any data, granting complete access to the compromised devices, and transmit it back to the attacker.
Read more about the Pegasus spyware used in India and other parts of the world, their responses and reports released by the Pegasus Project – A global investigation started by the group of news media organizations – Pegasus Spyware usage in India and Worldwide.
Apple’s Response on Zero-day Attack on their Devices in Pegasus Project Report:
The reports and proofs of a Pegasus spyware alerted the security of Apple’s closed ecosystem and started to make potential changes to the company’s security structure.
The Apple organization also published that they are ready to pay a $1 Million bounty if anyone discovers the type of vulnerability used by the Pegasus spyware in their devices.
As the security update reports are publicly available and with proof of exploit, it is highly suggested to update the Apple devices operating systems as soon as possible to mitigate the exploit related to the flaw.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.