Apple has released iOS 14.7.1 and iPad iOS 14.7.1 and revealed that it fixes a previously unknown flaw that the company says appears to have been "actively exploited".
The company also released macOS Big Sur 11.5.1 to address the same issue in the common Apple kernel extension IOMobileFrameBuffer.
A malicious app could execute arbitrary code with kernel privileges, Apple warns in both advisories.
"Apple is aware of a report that this issue may have been actively exploited," it says, noting that the memory corruption issue tagged as CVE-2021-30807 was reported by an anonymous researcher. Already, proof of concept exploit code has been posted online.
Separately, Saar Amar, a security researcher and member of Microsoft Security Response Center (MSRC) revealed that he had also discovered the now-patched bug in iOS four months ago. He says he didn't report the issue to Apple earlier since he was working towards a high quality bug report for Apple's bug bounty program. After Apple disclosed the bug, he published detailed explanatory notes about the issues he found in IOMobileFrameBuffer.
He notes that the the bug "is as trivial and straightforward as it can get", but adds that "the exploitation process is quite interesting here" and offers more detail than Apple would ever provide in its advisories.
Amar describes it as a local privilege escalation (LPE) vulnerability that can be triggered from a the core engine of a Safari WebKit component called WebContent.
The iOS/iPadOS update is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).