IOS security patch in 14.7.1 likely addresses an exploit used by NSO

Apple released iOS 14.7.1 yesterday, with reference to an iOS security patch for a vulnerability that may have been actively exploited …

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

Description: A memory corruption issue was addressed through improved memory management.

There are two clues that suggest the fix was for an exploit used by NSO for a click-less attack, which was used against iPhones owned by dissidents, activists, human rights lawyers and politicians. the opposition.

First, Amnesty International’s report said that simply receiving a particular iMessage could be enough to compromise a phone and allow access to personal data. The analysis suggests that this was achieved through a memory overflow, matching Apple’s description of the flaw.

Second, Apple said it is aware that the vulnerability may have been actively exploited in the wild. The company’s phrasing is rather academic in tone, but it’s typical of Apple’s style.

The register notes the potential link and also indicates that the exploit code has now been released.

Apple on Monday fixed a zero-day vulnerability in its iOS, iPadOS and macOS operating systems, just a week after releasing a set of operating system updates that fixed around three dozen other flaws.

The bug, CVE-2021-30807, was found in iGiant’s IOMobileFrameBuffer, a kernel extension to handle the screen frame buffer that could be abused to execute malicious code on the affected device. .

CVE-2021-30807, attributed to an anonymous researcher, was processed by an undisclosed but allegedly improved memory management code […]

Apple has not, however, specified who could be involved in the exploitation of this bug. The company also did not respond to whether the bug was exploited by NSO Group’s Pegasus monitoring software. […]

The IOMobileFrameBuffer has paved the way for Apple software several times over the past decade. Presumably, the Cupertino coders will take a closer look at the software to see if there is anything else they missed.

CVE-2021-30807 POC:

int main () {
io_service_t s = IOServiceGetMatchingService (0, IOServiceMatching (“AppleCLCD”));
io_connect_t c;
IOServiceOpen (s, mach_task_self (), 0, & c);
uint64_t a[1] = {0xFFFFFFFF};
uint64_t b[1] = {0};
uint32_to = 1;
IOConnectCallScalarMethod (c, 83, a, 1, b, & o);
}

– binary boy (@ b1n4r1b01) July 26, 2021

A security researcher who previously identified the problem but had no time to elaborate on it in a detailed report to Apple shared details of what he found.

Other security researchers have asked Apple to treat iMessage’s vulnerability to such attacks as a much higher priority. Johns Hopkins associate professor and cryptographer Matthew Green said Apple should “rewrite most of the iMessage codebase in memory safe language,” while iPhone security researcher and jailbreaking Will Strafach said said Apple should make it easier for researchers to see what happens when such attacks occur, so that underlying vulnerabilities can be more easily identified.

Photo: Onur Binay / Unsplash

---

Check out 9to5Mac on YouTube for more Apple news: