Sophos Cloud Optix
Apple just released iOS 9.3.5, the latest security update for iDevice users.
We suggest you apply this update as soon as you can, and here’s why.
According to Apple’s security bulletin, it fixes three security holes along these lines:
- WebKit bug: visiting a maliciously crafted website may lead to arbitrary code execution.
- Kernel bug: an application may be able to disclose kernel memory.
- Kernel bug: an application may be able to execute arbitrary code with kernel privileges.
You can imagine how these three vulnerabilities could be combined into a serious exploit, where visiting a booby-trapped website might not only infect you with user-level malware, but also go on from there to promote itself to gain kernel-level superpowers.
The security built into iOS does a great job of keeping apps apart, so user-level malware is limited in what it can do: if you have a rogue GPS app, for example, it shouldn’t be able to reach across to your authenticator app and steal its cryptographic secrets.
Nevertheless, a rogue GPS app would be bad enough on its own, as it could keep track of you when you weren’t expecting it.
But if that rogue GPS app could also sneak itself into the iOS kernel, where the security checks and balances that keep apps apart are managed, then you’d have a lot more to worry about.
Loosely speaking, malware than could arrive just by clicking a web link and then boost itself automatically to kernel level would effectively be a “one-click jailbreak.”
A jailbreak is where you sneakily bypass the very security controls that are supposed to stop you bypassing the security controls, so you no longer have to play by Apple’s security rules. Notably, you are no longer restricted to the App Store, so you can follow up a jailbreak by installing whatever software you like.
Well, reports suggest that just such a one-click jailbreak has been reported in the wild: Gizmodo claims that the attack was created by an Israeli company called NSO Group that sells exploits and hacking services.
Ironically, iOS 9.3.4 came out just three weeks ago, and that update also seems to have been hurried out to close a hole that was ostensibly being used for jailbreaking.
Interestingly, another exploit-gathering company, Zerodium, last year famously offered up to $3,000,000 in bounty money for a trifecta of iOS “click-to-own” bugs, as they’re often called, and later claimed that just before the bounty expired, they’d received a bug submission that could be used for jailbreaking.
Did that bug exist, and was it one of the three that were patched in the latest 9.3.5 update?
We don’t know, but whether it was or wasn’t, you should get yourself the latest patches right away.
Go to Settings | General | Software Update and see what version you’re on right now.
Annoyingly, even though the update is just 39.5MB, you have to update via Wi-Fi. As usual, no updates are allowed via the mobile network. For urgent updates of this sort, it really would be handy for Apple to relax that restriction, especially when you think that you could just stick your SIM card in another phone, turn it into an access point, and update using the mobile network as your carrier anyway.
Thanks for publishing this post, I shared it on my Facebook page. Very interesting, a 3 year old 0day.
Why no mention of where it originated?
As mentioned in the article, the claims are (I have no way of validating them) is that the in-the-wild attack code came by way of exploit-selling company called NSO Group, which I assume is an organisation akin to the late Hacking Team out of Italy. I’m not aware of any smoking gun to say how or where these exploits were found in the first place.
Webkit bug? Also used in Opera, Kindle, and Blackberry. Are they exposed, too?
I somehow doubt it, at least not exposed in the same way because the two other kernel-land bugs (which I am assuming are what make this into a jailbreak type of attack rather than just a rogue malware app type of attack) wouldn’t apply.
Are pre iOS 9 devices affected by this? If so, are they to be patched?
I don’t know how far back the buggy code goes but as far as I know, the current update for iOS 8.x is iOS 9.3.5. So, yes, it has been patched π
Yes that is an update π but what about the devices that have not been updated – perhaps still on iOS8 or earlier because users don’t update to the next iOS as the devices run slower…. I understand this is not a question that Sophos should answer, but devices that are out there with older, potentially unpatched iOS versions are left open are they not? What do Apple do, if anything, to prevent such scenarios?
Errr, I am not sure. I assume that if you find your current device too slow (or unable) to run the latest version, you are supposed to buy a new device as part of your free upgrade π
I haven’t had to retire an iPhone for that reason yet, as I’m a comparatively new user of iOS, but that situation is exactly what happened to me with the Android device I had before I got the iPhone. (In fact, I upgraded to iOS instead of to a new Google phone π
I can run more recent Androids, sort of, by using home-made firmware, which isn’t really an option on most iDevices, but most of the Google proprietary apps (what most people think of as making an “Android phone”) are missing…
…so it’s sort of, “Thanks for coming, but it’s game over now. Time to go home. Goodnight, until you buy a new phone.”
So it’s potentially a concern, like the abundance of XP devices still connected to the Internet. However, I’m surprised that Apple, who market their products with security in mind, do not address this. E.g. they could deny Internet connectivity for old devices unless using the latest iOS platform, so that the device is just a phone brick until you replace it for new. That could save a few concerns π
Might cause a regulatory backlash in some countries, by effectively (if not actually) bricking the device. Might it not ruffle various contract law or “sale of goods” feathers?
Good point. I’m sure that if such limitations (lets assume just Internet access is blocked, leaving the device functional as a phone) are put in place, they can be backed by T’s & C’s shaped to suite locations, which would help eradicate the problem of ‘not’ addressing Internet threats on older devices and leaving them connected