Apple releases patch for critical vulnerability on iPhone and iPad

Apple has released a security update for a zero-day vulnerability in iOS that allows a malicious person to run code with kernel privileges on an iPhone or iPad through an application. According to Apple, the vulnerability may have already been actively exploited.

It is a memory corruption issue in the IOMobileFrameBuffer that all iPhones have from the 6s, all models iPad Pro, iPad Air 2 and newer, iPad 5th generation and newer, iPad mini 4 and newer and the seventh generation iPod touch. The vulnerability made it possible to run arbitrary code in an application, granting kernel privileges. Apple expects the vulnerability to be actively exploited. Apple is urging users to download version 15.0.2 of iOS and iPadOS as soon as possible, which includes a patch for the vulnerability.

The vulnerability, registered under the CVE number CVE-2021-30883, was discovered by an anonymous security researcher. Apple has not yet released any details about the vulnerability. According to The Hacker News, it’s Apple’s seventeenth zero day this year and the second zero day targeting the IOMobileFrameBuffer. A similar vulnerability, CVE-2021-30807, was fixed in July. In September, Apple also called on users to update operating systems due to a zero-day vulnerability linked to the Israeli company NSO Group.

In addition to the vulnerability, version 15.0.2 of iOS also addresses a number of minor bugs. For example, photos saved from Messages in the library could be deleted if the associated message thread or message was deleted. That has been addressed. Also, the leather card holder with MagSafe for iPhone sometimes failed to connect to Find My, and the Airtag sometimes didn’t show up in the “Objects” tab in Find My. The update also fixes an issue with CarPlay that sometimes prevented audio apps from opening or disconnected during playback. Finally, it fixes an issue affecting iPhone 13 models where restore or update could fail in Finder or iTunes.