Apple iOS users, update now – zero-day attack seen in the wild

Apple just released iOS 9.3.5, the latest security update for iDevice users.

We suggest you apply this update as soon as you can, and here’s why.

According to Apple’s security bulletin, it fixes three security holes along these lines:

  1. WebKit bug: visiting a maliciously crafted website may lead to arbitrary code execution.
  2. Kernel bug: an application may be able to disclose kernel memory.
  3. Kernel bug: an application may be able to execute arbitrary code with kernel privileges.

You can imagine how these three vulnerabilities could be combined into a serious exploit, where visiting a booby-trapped website might not only infect you with user-level malware, but also go on from there to promote itself to gain kernel-level superpowers.

The security built into iOS does a great job of keeping apps apart, so user-level malware is limited in what it can do: if you have a rogue GPS app, for example, it shouldn’t be able to reach across to your authenticator app and steal its cryptographic secrets.

Nevertheless, a rogue GPS app would be bad enough on its own, as it could keep track of you when you weren’t expecting it.

But if that rogue GPS app could also sneak itself into the iOS kernel, where the security checks and balances that keep apps apart are managed, then you’d have a lot more to worry about.

Loosely speaking, malware than could arrive just by clicking a web link and then boost itself automatically to kernel level would effectively be a “one-click jailbreak.”

A jailbreak is where you sneakily bypass the very security controls that are supposed to stop you bypassing the security controls, so you no longer have to play by Apple’s security rules. Notably, you are no longer restricted to the App Store, so you can follow up a jailbreak by installing whatever software you like.

Well, reports suggest that just such a one-click jailbreak has been reported in the wild: Gizmodo claims that the attack was created by an Israeli company called NSO Group that sells exploits and hacking services.

Ironically, iOS 9.3.4 came out just three weeks ago, and that update also seems to have been hurried out to close a hole that was ostensibly being used for jailbreaking.

Interestingly, another exploit-gathering company, Zerodium, last year famously offered up to $3,000,000 in bounty money for a trifecta of iOS “click-to-own” bugs, as they’re often called, and later claimed that just before the bounty expired, they’d received a bug submission that could be used for jailbreaking.

Did that bug exist, and was it one of the three that were patched in the latest 9.3.5 update?

We don’t know, but whether it was or wasn’t, you should get yourself the latest patches right away.

Go to Settings | General | Software Update and see what version you’re on right now.

Annoyingly, even though the update is just 39.5MB, you have to update via Wi-Fi. As usual, no updates are allowed via the mobile network. For urgent updates of this sort, it really would be handy for Apple to relax that restriction, especially when you think that you could just stick your SIM card in another phone, turn it into an access point, and update using the mobile network as your carrier anyway.