Apple released iOS 14.7.1, iPadOS 14.7.1 and macOS Big Sur 11.5.1 on 7/26/2021, which are the latest updates for all of its operating systems (OSs). The primary components of these updates is a fix for a major security vulnerability, so users need to apply them as soon as possible.
Apple reports that the vulnerability may have already been exploited, so hackers have probably been specifically targeting it for some time. Analysts have also published a proof-of-concept illustrating how hackers could exploit this vulnerability.
Affected Devices
This patch is compatible with the following Apple products:
- All models of the iPad Pro
- iPhone 6s and later versions
- iPad Air 2 and later versions
- iPad 5th generation and later versions
- iPad mini 4 and later versions
- iPod touch 7th generation
Impact
An anonymous researcher initially reported the vulnerability, which Apple has formally documented as CVE-2021-30807. It may allow applications to execute arbitrary code with kernel privileges, potentially providing a hacker with root access to the device. The vulnerability was the result of corrupted memory, which the patch addresses with improved memory handling. Specific exploits are unclear at this time, but hackers may have used it to jailbreak iOS devices. Analysts are also speculating that it could have been part of the NSO Group spyware tool hack, which targeted government agencies, journalists and political activists.
Functionality
Saar Amar, security researcher for the Microsoft Security Response Center (MSRC), reports that he discovered the vulnerability in March 2021. However, he didn’t report it at the time because he was already preparing a detailed report of current bugs for Apple products, which he planned to submit for Apple’s bug bounty program. Amar later published his notes on the vulnerability after Apple disclosed its own report on CVE-2021-30807, which includes greater detail than Apple offers on the subject.
CVE-2021-30807 is the result of memory corruption in IOMobileFrameBuffer, which Amar describes as a local privilege escalation (LPE) vulnerability. Attackers can exploit this vulnerability with the engine of WebContent, a component of Safari WebKit. Amar notes that the bug is trivial and straightforward, although he adds that “the exploitation process is quite interesting.”
Additional Fixes
The iOS 14.7.1 update also fixes a bug introduced in iOS 14.7 that can prevent users from unlocking an Apple Watch with their Touch ID iPhones. The workaround for this bug was for users to enter their passcode directly into their Apple Watch, rather than using their iPhone to do it. Individual users who don’t have the 14.7.1 update will need to reset their Apple Watches to remove the passcode.
However, Enterprise users are likely to have iPhones loaded with Mobile Device Management (MDM) profiles that require a passcode. In this case, users will need their MDM administrators to remove this requirement. They’ll then need to unpair their Apple Watch from the network, erase it, and set up their Apple Watches from scratch.
Required Action
Users can update their iPhone and iPad devices by accessing their Settings, selecting General and then selecting Software Update. macOS users need to click on the apple icon in the top left corner of their screen, click System Preferences, and then click Software Update. These actions will download and install all updates currently available for the device, including patch 14.7.1.
Affected users should apply these updates as quickly as possible due to the severe risk this vulnerability poses. Users can also use the iVerify app to receive immediate update notifications for the iPhone and iPad.
iPhone updating flickr photo by Håkan Dahlström shared under a Creative Commons (BY) license
