A week ago, Apple pushed out a small but critical security patch for iOS.
That update was iOS 9.3.5, and it fixed a trifecta of previously unknown vulnerabilities that had allegedly been combined to produce a megaexploit.
(If you have an iDevice, go to Settings | General | Software Update right now, just to make sure you’re up-to-date.)
Apparently, the crooks had three zero-day security holes up their sleeves, and they stitched them together something like this:
- Trick Safari’s content-rendering engine, called WebKit, into silently running unauthorised program code. (No going through the App Store or popping up any sort of user approval.)
- Use the implanted code to provoke a kernel bug to locate an exploitable kernel component in memory.
- Attack the now-located vulnerable kernel component to get kernel-level access to the device.
As we explained last week:
Malware that [arrives] just by clicking a web link and then [boosts] itself automatically to kernel level [is] effectively be a “one-click jailbreak.”
A jailbreak is where you sneakily bypass the very security controls that are supposed to stop you bypassing the security controls, so you no longer have to play by Apple’s security rules. Notably, you are no longer restricted to the App Store, so you can follow up a jailbreak by installing whatever software you like.
The urgency of the iOS update was underscored by the claim that the zero-days in this auto-jailbreak attack were acquired from a company that specialises in selling exploits, and used in the wild against a human rights activist called Ahmed Mansoor.
When zero-days become known, there’s not only a chance to figure them out in order to patch them quickly, as Apple did with iOS 9.3.5, but also an opportunity for other crooks to adopt them as well, and to use them for yet more cybercrime.
Worse still, there’s also a chance that new attackers will figure out how to repurpose a zero-day attack from one operating system or application so that it works against other versions, too.
After all, few software products are truly brand new: they’re usually derived, often substantially, from existing source code, and thus share both features and holes.
So it’s not surprising to find that the bugs behind the recent “triplesploit” in iOS also exist in Mac OS X, because Apple’s two operating systems are based on the same internals, albeit built in different ways for different hardware.
Exploits against iOS don’t always translate into exploits against OS X and vice versa, of course, just as phrases in one language don’t always translate directly into other languages. (If a Dutchman gives you a pair of scissors, for example, you’ll literally get two of them, because it’s just “a scissor” in Dutch.)
Nevertheless, in this case it looks as though the bugs aren’t merely shared by iOS and OS X, but are exploitable in both, give that Apple just pushed out two OS X updates:
- Safari 9.1.3. This fixes the WebKit vulnerability listed above.
- Security Update 2016-001 El Capitan/2016-005 Yosemite. This fixes the two combinable kernel holes above.
Note that if you have OS X 10.11 El Capitan, you’ll only see one update to download and install, because the 2016-001 update includes the new version of Safari.
What to do?
Given the likely exploitability of the holes that are fixed by these updates, and the story behind them, we’re advising Mac users to update without delay.
Click on the Apple menu in the top left of your screen, then choose About This Mac and click the Software Update… button.
Do it now!