Latest Apple iOS update patches exploit remote jailbreaking for iPhones

Apple on Monday released updates for iOS, macOS, tvOS, and watchOS with security fixes for several vulnerabilities, including a remote jailbreak exploit chain as well as a number of critical issues in the Kernel web browser. and Safari which were first demonstrated at the Tianfu Cup held in China two months ago.

Plotted as CVE-2021-30955, the issue could have allowed a malicious application to execute arbitrary code with kernel privileges. Apple said it fixed the problem with “improved condition management.” The flaw also affects macOS devices.

“Kernel bug CVE-2021-30955 is the one we tried [to] use to build our remote jailbreak chain but failed to complete on time, “Kunlun Lab General Manager @ mj0011sec, noted in a tweet. A set of kernel vulnerabilities were ultimately exploited by Team Pangu in the Tianfu Hack Contest to break into an iPhone13 Pro running iOS 15, an exploit that earned the White Hat hackers $ 330,000 in cash rewards.

Besides CVE-2021-30955, a total of five Kernel flaws and four IOMobileFrameBuffer flaws (a kernel extension to handle screen frame buffering) have been fixed with the latest updates –

• CVE-2021-30927 and CVE-2021-30980: A post-free usage issue that could allow a malicious application to execute arbitrary code with kernel privileges.
• CVE-2021-30937: A memory corruption vulnerability that could allow a malicious application to execute arbitrary code with kernel privileges.
• CVE-2021-30949: A memory corruption issue that could allow a malicious application to execute arbitrary code with kernel privileges.
• CVE-2021-30993: A buffer overflow issue that could allow an attacker in a privileged position of the network to be able to execute an arbitrary code
• CVE-2021-30983: A buffer overflow issue that could allow an application to execute arbitrary code with kernel privileges.
• CVE-2021-30985: An out of bounds write issue that could allow a malicious application to execute arbitrary code with kernel privileges.
• CVE-2021-30991: An out of bounds read issue that could allow a malicious application to execute arbitrary code with kernel privileges.
• CVE-2021-30996: a race condition that could allow a malicious application to execute arbitrary code with kernel privileges.

On the macOS front, the Cupertino-based company fixed an issue with the Wi-Fi module (CVE-2021-30938) that a local user on the system could exploit to cause the system to shut down unexpectedly and even read memory. of the nucleus. The tech giant credited Pangu Lab’s Xinru Chi with reporting the flaw.

Seven security vulnerabilities in the WebKit component have also been fixed: CVE-2021-300934, CVE-2021-300936, CVE-2021-30951, CVE-2021-30952, CVE-2021-30953, CVE-2021-30954 and CVE – 2021-30984t – this could potentially result in a scenario where processing specially crafted web content can lead to the execution of arbitrary code.

Additionally, Apple also fixed a few issues affecting the Notes and Password Manager apps in iOS that could allow someone with physical access to an iOS device to access contacts from the lock screen and recover passwords. stored without any authentication. Last but not least, a bug in FaceTime has been fixed which could otherwise have leaked sensitive user information via Live Photos metadata.