Apple has released a security update for iOS and iPad to fix a zero-day vulnerability that it says is being exploited in the real-world attacks.
The zero-day flaw (CVE-2021-30883) has been described as a buffer overflow issue caused by a boundary error within the IOMobileFrameBuffer subsystem. By exploiting this bug, a malicious application can trigger memory corruption and execute arbitrary code on with kernel privileges.
In July, Apple addressed another zero-day issue in IOMobileFrameBuffer (CVE-2021-30807), that, as in the above case, allowed a local application to execute code with kernel privileges.
As usual, Apple has refrained fr om publishing further information about when or wh ere attacks exploiting CVE-2021-30883 took place or threat actors behind them.
However, security researcher Saar Amar shared additional details on the vulnerability, and a proof-of-concept (PoC) exploit, noting that “this attack surface is highly interesting because it's accessible from the app sandbox (so it's great for jailbreaks) and many other processes, making it a good candidate for LPEs exploits in chains.”
Last month, Apple fixed a zero-day vulnerability said to have been exploited by hackers to compromise iPhones and Macs running older iOS and macOS versions.