Endpoint Security , Enterprise Mobility Management / BYOD , Governance & Risk Management

Apple Patches Reintroduced Flaw That Enabled Jailbreaking

Block Update to Keep Jailbreaking - But Do So At Your Peril, Expert Warns
Apple Patches Reintroduced Flaw That Enabled Jailbreaking

Apple released a patch on Monday to fix a flaw previously expunged from its iOS codebase, only to accidentally reintroduce it. The flaw is unusual in that it enables iOS enthusiasts to jailbreak their up-to-date devices - an increasingly rare opportunity that allows users to modify the operating system and install whatever software they'd like.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

What is perhaps most extraordinary is that the situation occurred at all. In May, Apple issued a patch for iOS 12.3 that fixed a kernel memory vulnerability found by Google Project Zero’s Ned Williamson. He published a “SockPuppet” exploit for the bug, which worked on iOS 12.2 and some prior versions of the operation system.

Such would appear to have been the decline and fall of SockPuppet. But in June, Apple reintroduced the bug in iOS 12.4, although the error doesn't appear to have been quickly spotted.

On Aug. 19, however, Benjamin Weaver who goes by @Pwn20wnd on Twitter, developed a jailbreak to capitalize on the reintroduced flaw.

Summertime for Jailbreakers

Together with the Monday security update, Apple publicly credited Weaver for his assistance, as well as Williamson for discovering the original bug, designated CVE-2019-8605. Apple also fixed the flaw in macOS Mojave version 10.14.6.

Apple pushes updates to iOS, and users are prompted to accept the update. Generally, unless users want to take on the additional security risks that come with jailbreaking a phone, users should apply the update immediately. Anyone seeking to jailbreak their devices, however, will have to block the update, which is iOS 12.4.1.

Living on the Edge

Jailbreaking allows root access to an iPhone, which Apple tries to prevent. Jailbreaking also lets users circumvent Apple’s security protections and install apps that are outside of the App Store - Apple's so-called "walled garden." But the same vulnerabilities that facilitate a jailbreak could also be abused by someone with malicious intent to compromise a jailbroken device, or a device with the potential to be jailbroken - for example, if it's running iOS 12.4.

Having access to a jailbreak that works on up-to-date Apple devices is highly sought after by governments and fetches a high price from vulnerability brokers. Public jailbreaks, along the lines of what Weaver released, are very rare for iOS these days.

"People are asking me how real the threat is that someone will incorporate the iOS 12.4 jailbreak into a malicious App Store app. Well let me just say that as far as I remember there was never before source code for a jailbreak publicly available before it was patched."
—Stefan Esser

The existence of a viable jailbreak means risk. Over the last week or so, attackers could have tried to slip the jailbreak code into an app and publish it to Apple’s App Store. Apple does review apps for security and other quality-control issues, but those reviews aren’t foolproof. Hence in theory at attacker might trick a user into downloading a backdoored app that then gives the attacker remote access to a victim's device or data.

Apple security expert Stefan Esser wrote on Twitter soon after the latest jailbreak became public that “people are asking me how real the threat is that someone will incorporate the iOS 12.4 jailbreak into a malicious App Store app. Well let me just say that as far as I remember there was never before source code for a jailbreak publicly available before it was patched.”

Valuable Vulnerabilities

For years, Apple played a rolling cat-and-mouse game with talented researchers who would probe the latest versions of iOS, looking for a vulnerability or a chain of vulnerabilities that would lead to a jailbreak.

In the early days of iOS, jailbreaks appeared with some frequency. But Apple has improved iOS code quality significantly in recent years, and arguably it's harder than ever now for researchers to find exploitable flaws that they could chain together to facilitate a jailbreak.

Apple has also been trying to get researchers to report these flaws to it directly, and quietly. Three years ago, the technology giant launched a bug bounty program that pays researchers for the type of information that could be used for a jailbreak. Recently, Apple dramatically increased the payouts on offer and began allowing anyone to participate (see Apple Expands Bug Bounty; Raises Max Reward to $1 Million).

The top bounty is now $1 million for a persistent, zero-interaction flaw on either iOS or macOS. Apple’s previous bounty for that type of flaw was $200,000. As part of the revised program, Apple will also provide vetted researchers with prerelease software and special versions of iOS without security protections that make it easier to find bugs (see Is Apple's Top $1 Million Bug Bounty Too Much?).


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.