Apple’s support page indicates the issue affects the IOMobileFrameBuffer and could allow an application to execute code with kernel privileges.
According to Jamf Threat Labs researchers, the exploit allows for local privilege escalation which is easy to use and allows an attacker to escape from the app sandbox; this exploit could be combined with others to create a very powerful attack sequence on iOS devices.
For all the reasons above, we recommend organizations and users update to 15.0.2 as soon as possible.
According to data from Wandera, a Jamf Company, as of October 14, 2021, a majority of iOS devices on the Jamf platform are still running versions below iOS 15 and are vulnerable to this exploit.
This is surprising since historically Apple users have always been very fast to update their iOS devices. However, when Apple released iOS 15 it didn’t flag iOS 14.8 as out of date. As a result, users have to manually choose to upgrade their devices or organizations have to force upgrades remotely.
Our researchers have confirmed that this vulnerability does affect iOS 14.8, but as of October 14, 2021, this version is still not being flagged by Apple as out of date (see screenshot above taken by Jamf employee on October 15, 2021) and users are not pushed to update automatically.
This means many devices are exposed to risk and are likely unaware of this.
The change to the way Apple rolls out major software updates may be the reason why adoption of iOS 15 is slower than adoption of previous versions. Data from business analytics company Mixpanel shows much slower adoption of iOS 15 compared to iOS 14 which makes it all the more urgent to get devices upgraded. According to data from Mixpanel, approximately one month after the release of iOS 14, 43% of devices had been upgraded, while 27% of devices have now upgraded to iOS 15 over a similar time period.
Gaining visibility into the operating system versions running on devices used to access sensitive work data is an important step towards having an overview of your risk posture. Jamf customers can view the OS versions of managed devices within their fleet. Additionally, iOS versions below iOS 15.0.2 are now being flagged as vulnerable within Jamf Threat Defense.
Next steps to secure your environment:
- Use Jamf Threat Defense to take action when a vulnerable OS is detected (for example, escalate to MDM/UEM to implement a more restrictive mode on the device).
- Use Jamf Private Access to prevent compromised devices from accessing sensitive business applications while the device is in a risky state.
- Use Jamf Data Policy to allow access to iOS updates when on a Wi-Fi network to ensure optimal use of cellular connectivity and faster downloads for the end user.
- Use Jamf Pro to manage your Apple fleet and upgrade users en masse without disruption
Since it’s so important, we’re going to repeat the most effective solution again: Update your iOS device to 15.0.2 as soon as possible.
Jamf is here to help you.