Skip to main content

Speculation that yesterday’s iOS security fix was for NSO exploit

Apple yesterday released iOS 14.7.1, with a reference to an iOS security fix for a vulnerability that may have been actively exploited …

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed with improved memory handling.

There are two clues in there that suggest the fix was for an exploit used by NSO for a zero-click attack, which has been used against iPhones owned by dissidents, activists, human rights lawyers, and opposition politicians.

First, Amnesty International’s report said that merely receiving a particular iMessage could be enough to compromise a phone and allow personal data to be accessed. Analysis suggests that this was achieved through a memory overflow, matching Apple’s description of the flaw.

Second, Apple said that it was aware that the vulnerability may have been actively exploited in the wild. The company’s phrasing is rather academic in tone, but that is typical of Apple’s style.

The Register notes the potential link, and also says that the exploit code has now been posted.

Apple on Monday patched a zero-day vulnerability in its iOS, iPadOS, and macOS operating systems, only a week after issuing a set of OS updates addressing about three dozen other flaws.

The bug, CVE-2021-30807, was found in the iGiant’s IOMobileFrameBuffer code, a kernel extension for managing the screen frame buffer that could be abused to run malicious code on the affected device.

CVE-2021-30807, credited to an anonymous researcher, has been addressed by undisclosed but purportedly improved memory handling code […]

Apple did not, however, say who might be involved in the exploitation of this bug. Nor did the company respond to a query about whether the bug has been exploited by NSO Group’s Pegasus surveillance software […]

The IOMobileFrameBuffer has provided a path into Apple’s software several times over the past decade. Presumably Cupertino’s coders will be taking a closer look at the software to see if there’s anything else they’ve missed.

A security researcher who had earlier identified the issue but had not had time to work it up into a detailed report to Apple has shared the details of what he found.

Other security researchers have called on Apple to treat the vulnerability of iMessage to such attacks as a far higher priority. Johns Hopkins associate professor and cryptographer Matthew Green said that Apple should “re-write most of the iMessage codebase in some memory-safe language,” while security researcher and iPhone jailbreaker Will Strafach said that Apple should be making it easier for researchers to see what is happening when such attacks occur, so that the underlying vulnerabilities can be more readily identified.

Photo: Onur Binay/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications