iOS 14 Update Fixes Memory Corruption Zero Day

by Chris Brook on Wednesday October 27, 2021

Contact Us
Free Demo
Chat

Apple fixed CVE-2021-30883, a iOS zero day weeks ago in iOS 15. Now a patch has arrived for those still running iOS 14.

While Apple has been pushing updates more often, almost bimonthly, this week's resolve some critical vulnerabilities that merit users' attention.

The updates for iOS 14 and iPadOS 14 arrived on Tuesday but one bug in iOS should be reason enough for users to update as soon as possible.

The issue, CVE-2021-30883 - a memory corruption issue in IOMobileFrameBuffer, a kernel extension for managing the screen framebuffer, was being exploited in the wild. Through the bug, Apple warns an application could execute arbitrary code with kernel privileges. The issue affects nearly every iOS device; iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) according to Apple's advisory.

Other bugs fixed include those that could be used to elevate privileges (CVE-2021-30907) and cause arbitrary code execution, some with kernel privileges.

Many of the same bugs, including the IOMobileFrameBuffer one, were also fixed on Monday, a day before, in tvOS.

CVE-2021-30883 had actually been previously fixed in iOS and iPadOS 15 earlier this month. Apple patched it in iOS 15.0.2 and iPadOS 15.0.2 on October 11. This week's patches are for anyone who may still be running iOS 14.

The issue was one of 12 resolved in iOS 14 this week. Users still running it should update to iOS 14.8.1 and iPadOS 14.8.1, the latest iOS 14 version of both operating systems, to remediate the issue.

If users are running iOS 15 they likely noticed that it received an update this week too. While Apple doesn't say any of them were exploited publicly, 22 vulnerabilities in iOS 15.1 and iPadOS 15.1 were fixed on Monday. tvOS 15.1, watchOS 8.1, macOS Catalina, and macOS Big Sur also received updates on Monday that users should find some time this week to prioritize.

The CVE-2021-30883 bug is the latest in a line of zero day vulnerabilities patched by Apple. Last month's much-publicized zero day, CVE-2021-30860, affected the iPhone, iPad, Mac and Apple Watch. Until it was fixed, the vulnerability, also known as ForcedEntry, had been exploited by NSO Group to spread its Pegasus spyware.

Tags:  Apple Mobile Security

Related Blog Posts

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

Get the Guide
6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Get the Guide
Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.

Get the Guide