iOS 14 Update Fixes Memory Corruption Zero Day
Apple fixed CVE-2021-30883, a iOS zero day weeks ago in iOS 15. Now a patch has arrived for those still running iOS 14.
While Apple has been pushing updates more often, almost bimonthly, this week's resolve some critical vulnerabilities that merit users' attention.
The updates for iOS 14 and iPadOS 14 arrived on Tuesday but one bug in iOS should be reason enough for users to update as soon as possible.
The issue, CVE-2021-30883 - a memory corruption issue in IOMobileFrameBuffer, a kernel extension for managing the screen framebuffer, was being exploited in the wild. Through the bug, Apple warns an application could execute arbitrary code with kernel privileges. The issue affects nearly every iOS device; iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) according to Apple's advisory.
Other bugs fixed include those that could be used to elevate privileges (CVE-2021-30907) and cause arbitrary code execution, some with kernel privileges.
Many of the same bugs, including the IOMobileFrameBuffer one, were also fixed on Monday, a day before, in tvOS.
CVE-2021-30883 had actually been previously fixed in iOS and iPadOS 15 earlier this month. Apple patched it in iOS 15.0.2 and iPadOS 15.0.2 on October 11. This week's patches are for anyone who may still be running iOS 14.
The issue was one of 12 resolved in iOS 14 this week. Users still running it should update to iOS 14.8.1 and iPadOS 14.8.1, the latest iOS 14 version of both operating systems, to remediate the issue.
If users are running iOS 15 they likely noticed that it received an update this week too. While Apple doesn't say any of them were exploited publicly, 22 vulnerabilities in iOS 15.1 and iPadOS 15.1 were fixed on Monday. tvOS 15.1, watchOS 8.1, macOS Catalina, and macOS Big Sur also received updates on Monday that users should find some time this week to prioritize.
The CVE-2021-30883 bug is the latest in a line of zero day vulnerabilities patched by Apple. Last month's much-publicized zero day, CVE-2021-30860, affected the iPhone, iPad, Mac and Apple Watch. Until it was fixed, the vulnerability, also known as ForcedEntry, had been exploited by NSO Group to spread its Pegasus spyware.