Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Apple Confirms iOS 15 Zero-Day Exploitation

Apple rushes out iOS 15.0.2 to address a remote code execution vulnerability that is being actively exploited

Apple’s iOS zero-day problems appear to be getting worse.

Apple rushes out iOS 15.0.2 to address a remote code execution vulnerability that is being actively exploited

Apple’s iOS zero-day problems appear to be getting worse.

Just weeks after shipping iOS 15 as a security-themed upgrade, Apple rushed out an urgent patch to address a software flaw being “actively exploited” in the wild.

The Cupertino, Calif. device maker confirmed the latest zero-day in an advisory and urged iOS and iPad users to upgrade to the newest iOS 15.0.2.

This is the 72nd in-the-wild zero day attack documented so far in 2021. According to data tracked by SecurityWeek, 16 of the 72 exploited zero-days affect code in Apple’s products.

According to Apple’s advisory, the security defect (CVE-2021-30883) exists in IOMobileFrameBuffer, a kernel extension used to manage the screen frame buffer.  

“An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited,” the company said. 

Apple did not provide additional details on the exploitation.

Advertisement. Scroll to continue reading.

[ READ:  Apple Ships Urgent Patch for FORCEDENTRY Zero-Days ]

Shortly after the release of iOS 15.0.2, a security researcher reverse-engineered the patch and published proof-of-concept code to demonstrate the severity of the issue.

The urgent point-update comes less than a month after the release of iOS 15 with a built-in two-factor authentication code generator and multiple anti-tracking security and privacy features.

The iOS 15 makeover also included patches for at least 22 documented security vulnerabilities, some serious enough to expose iPhone and iPad users to remote denial-of-service and local code execution attacks.

According to Apple, the built-in authenticator can generate verification codes needed for additional sign-in security. “If a site offers two-factor authentication, you can set up verification codes under Passwords in Settings — no need to download an additional app. Once set up, verification codes autofill when you sign in to the site.”

Another notable feature is Mail Privacy Protection, a new feature that prevents email marketers from learning information about an iPhone user’s Mail activity.

RelatedApple Ships iOS 15 with MFA Code Generator

RelatedApple Confirms New Zero-Day Attacks on Older iPhones

Related: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.