Update your iPhone to iOS 14.7 right now to fix emergency security flaw

Purple iPhone 12
(Image credit: Future)

Apple unexpectedly released security updates yesterday (July 26) for iPhones, iPads and Macs to fix a single zero-day flaw that's apparently already being used to attack devices. You'll need to update ASAP to iOS 14.7.1, iPad OS 14.7.1 and macOS Big Sur 11.5.1.

The flaw is in the IOMobileFrameBuffer, which controls how an application manager manages a device's display. Apple says the vulnerability makes it possible for "an application... to execute arbitrary code with kernel privileges." That means an app already present on a Mac, iPhone or iPad — for example, Trojan malware pretending to be a benign app — could leverage the flaw to seize control of the entire device. 

In its characteristically terse way, Apple's security advisories noted that the company "is aware of a report that this issue may have been actively exploited." I.e., it's a software flaw that was exploited before the software maker learned of the flaw, giving Apple zero days' warning. The vulnerability has been assigned the catalogue number CVE-2021-30807.

Apple credits "an anonymous researcher" with discovering the flaw, but hasn't said whether it's related to the Pegasus mobile spyware that's been in the news lately. 

Yet Apple is clearly spooked enough by the flaw to push out an emergency update without much else to accompany it — the only other fix with any of these three updates was to an Apple Watch pairing issue. Apple released much larger updates to its various operating systems just last week.

Soon after Apple posted its security advisories, a Twitter user called "binaryboy" posted what purports to be a working exploit of the flaw. 

See more

And a security researcher who uses his real name on Twitter said he'd found the flaw a few months ago, but had not yet submitted it to Apple. He quickly wrote up a rather technical blog post explaining his discoveries.

See more

The updates are available for all Macs capable of running Big Sur, plus, in Apple's words, "iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.