Sophos Cloud Optix
Just two weeks ago, Apple released iOS 9.3.3, an update that fixed numerous security holes including one that was compared to last year’s “Stagefright” bug on Android.
Apple’s Stagefright-like bug was in a subsystem called ImageIO, a component used to process and render images.
Your iPhone probably displays lots of different images every day: not only ones you snap yourself with your camera, but also images that arrive via emails, on web pages, or even in MMS messages.
A remote code execution (RCE) bug in an image rendering library is therefore something of a gift to cybercrooks, given the many ways that images can arrive on your iPhone, and the many unexceptionable reasons you have for opening them.
The video below tells you more about the previous, Stagefright-style, bug…
Today, iOS 9.3.4 arrived, fixing a similar-sounding bug in a system component called
IOMobileFrameBuffer.
This time, that was it: just one bug squashed, officially denoted CVE-2016-4654.
Apple, as is its custom, isn’t saying much about what was fixed, except that:
An application may be able to execute arbitrary code with kernel privileges… A memory corruption issue was addressed through improved memory handling.
As we’ve mentioned before, a kernel-level RCE bug is a double gift to crooks, because software that runs inside the kernel isn’t subject to the same sandboxing limitations as a regular app.
Indeed, the kernel is responsible for deciding which apps run in the first place, what they’re allowed to do, and which other apps and online services they’re allowed to interact with.
An RCE that applies to a single app is like hacking into one set of traffic lights in a busy metropolitan area; a kernel RCE is more like hacking into the central server that controls all the traffic lights at every intersection in the city.
Jailbreak!
As far as we can tell, the bug that’s been closed off was discovered and used by Team Pangu, a crew of jailbreaking experts.
Jailbreakers try to find and exploit iOS bugs, not to commit crimes but simply to liberate their iPhones from Apple’s “walled garden,” by which you are forced to shop at the App Store only.
The aim of a jailbreak is to open up iPhones so they’re more like Android or Windows Phone devices: locked down by default, but ready to be tweaked for download freedom when you want to go off-market.
Ironically, off-market apps not only include poorly-tested apps that are best avoided (and sometimes even outright malware), but may also include highly-desirable security tweaks that vendors have been slow to offer, or useful security tweaks that are unavailable in the official marketplace.
Technically, of course, a hole that jailbreakers use until Apple fixes it is a zero-day, because there were zero days during which you could have been patched in advance.
As far as we know, no crooks were using Team Pangu’s hack, but a security hole is a security hole, leaving Apple little choice but to push out a patch.
What to do?
As always, our advice is, “Patch early, patch often.”
But we nevertheless wish that Apple would come to the jailbreaking party, even though we’d continue to recommend that you avoid untrusted, off-market apps.
We suspect that Apple would benefit both the community and itself by offering an official route to jailbreaking – a route which could form the basis of independent invention and innovation in iDevice security by an interested minority.
What do you think? Have your say in the comments below…
Apple. Image courtesy of Lester Balajadia/Shutterstock.
to be honest with you, i don’t mind being in a “walled garden” but the only people i know that have a jail broken phone use it for pirated software. I don’t support pirated software no matter what the platform.
This security update might be more than just “patching” jailbreak. I switched from Android to iOS for personal reason but the point is its good that Apple is very proactive in patching all security holes. If folks can afford to buy an expensive phone, I don’t understand why they can’t afford to buy apps at the Appstore.
…. because they have no money left over ?
Hmmm negative. If you have money to buy an iphone you have a few dollars for the apps you want.
Using a sample size of 1 (myself): I have never pirated an iOS app; I rarely need additional apps from the App Store (I have 10 or so that all cost $0); and yet I have happily run a jailbroken iPaad in recent memory. I simply wanted to be able to grab my own files off it easily, and to learn more about how iOS worked.
If your main goal in jailbreaking was to rip off content, rather than to learn something new, and you had iPhone levels of money to spend…
…surely you’d ditch your plans for an iPhone, and just buy an unlocked Android device up front, such as one of Google’s various Nexus flavours?
Nah not necessarily. I know people with jail broken iPhones who are iPhone fan boys and wouldn’t touch an Android device. They specifically want an iPhone and they want to be able to do what they want with it
Never used one pirated piece of software on any jb iPhone I’ve owned
I jb to be able to schedule do not disturb to work on a specific day and time which is stupid that option is
available and to be able to move my pictures in a specific folder instead a messy camera roll app again Apple why ?
Co-sign. Anyone reading this post can go to Reddit’s /r/jailbreak sub-Reddit forum and see posts of peoples’ favorite Tweaks and see that there are a million ways to make our iDevices much better via Jailbreaking.
I get so tired of the constant “Only pirates Jailbreak”, “Jailbreaking exposes you to malware” blah blah FUD.
I’ve seen a former client’s jailbroken iPad sending packets to Chinese IPed servers & it was only running springboard and other pretty standard pieces of jailbreak software. Since then (about 5 years ago?) I haven’t trusted the integrity of any jail broken packages. Prior to actually seeing the router logs I advised against jailbreaking by novice users out of concern, not out of having any factual reason. Now, after seeing the packet traces, I flat out tell people that jailbreaking is like inviting crackers in & they might as well post all their private info online.
It’s my device. I bought it. I own it. I should be able to do as I like with it. If I were making the rules, I’d require Apple to allow jailbreaking, and I’d require Apple to un-brick devices bricked by buggy OS software. Their attitude really puzzles me. Of course there are other stupid issues such as there not being a water resistant option, and a large battery option for not too much more money.
I agree, Joe. Funny how they’ll let you install whatever you want on your own Mac, but lock you into the walled garden on a computer that just happens to be smaller and thinner. (Think about it.) At this point an iPad Pro with an external keyboard isn’t all that different (compute-wise) to a MacBook Air. But I can control one yet not the other? The whole notion of “You paid $750 to license the OS and agree to the walled garden” is preposterous. If Apple wants to treat this like a car lease and not car ownership, then give us the same lowered TCO we get from one of a ‘lease’.