Bugs are being attacked. Within hours of the patch's release, one researcher released POC code, calling it a "great" vulnerability that could be used for jailbreaking and local permissions upgrades.
On Monday, Apple rushed out a security update for iOS 15.0.2 and iPadOS 15.0.2 to fix an actively exploited remote code execution (RCE) zero-day vulnerability.
Within hours, security researchers found the bug and released proof-of-concept code and an explanation of the bug, meaning now is a good time to update iOS devices.
A week and a half ago, Apple released iOS 15.0.1 to fix performance glitches, but iOS 15.0.2 is the first security update for the new operating system.
Monday's patch addresses zero-day memory corruption (CVE-201-30883) in the IOMobileFrameBuffer, a kernel extension that acts as a screen framebuffer.
Applications can execute arbitrary code using kernel privileges. Apple is aware of a report that this issue may have been actively exploited." An attacker who acquires kernel privileges will gain full control of the iOS device. Apple doesn't usually choose to hand over its weapons to attackers.
True to form, the company has been tight-lipped about potential attack blueprints: it has not released technical details of either the vulnerability or the attack that exploits it.
Not all countries are so cautious. Shortly after the patch was released, a security researcher named Saar Amar posted a technical explanation and proof-of-concept code.
He said he thought the bug was "really interesting because it can be accessed from the app sandbox (so it's great for jailbreaking)."
Jailbreaking — taking advantage of a flaw in a locked device to install software that the manufacturer did not consider or provide — gives the device owner full access to the root directory and all functionality of the operating system.
In addition to being "great" for jailbreaking, the researchers say the vulnerability is "a good candidate for exploitation in chains (WebContent, etc.) [local privilege escalation or LPE]".
"Therefore, I decided to take a quick look at the Bindiff patch and determine the root cause of the vulnerability," the researcher explained.
They point to BinDiff, a comparison tool for binaries that helps quickly find similarities and differences in disassembly code. It is used by security researchers and engineers to identify and isolate bug fixes in VP-supplied patches and to analyze multiple versions of the same binary.
Monday's zero days is a close cousin of a key memory corruption bug apple patched in July. This vulnerability, CVE-2021-30807, is also actively exploited and found in the IOMobileFrameBuffer extension for iOS and macOS, and is also used to take over systems.
Monday's update, iOS 15.0.2, works on iPhone 6s and later, iPad Pro(all models), iPad Air 2 and later, iPad 5 and later, iPad Mini 4 and later, and iPod Touch (generation 7).
Apple credits an anonymous researcher for the discovery. The patch came a few weeks after Apple released iOS 15 in September.
IOS 15 is full of much-hyped new security defenses. Specifically, the new OS comes with a built-in two-factor authentication (2FA) code generator, device voice recognition, and multiple anti-trace security and privacy features.
Voice recognition is meant to sidestep privacy concerns about the iPhone's biometric information being sent to the cloud for processing (and sometimes eavesdropping).
IOS 15 also includes patches for at least 22 security vulnerabilities, including some that expose iPhone and iPad users to remote DoS(denial of service) and remote execution of arbitrary code using kernel privileges