Just two weeks ago, Apple released iOS 9.3.3, an update that fixed numerous security holes including one that was compared to last year’s “Stagefright” bug on Android.
Apple’s Stagefright-like bug was in a subsystem called ImageIO
, a component used to process and render images.
Your iPhone probably displays lots of different images every day: not only ones you snap yourself with your camera, but also images that arrive via emails, on web pages, or even in MMS messages.
A remote code execution (RCE) bug in an image rendering library is therefore something of a gift to cybercrooks, given the many ways that images can arrive on your iPhone, and the many unexceptionable reasons you have for opening them.
The video below tells you more about the previous, Stagefright-style, bug…
Today, iOS 9.3.4 arrived, fixing a similar-sounding bug in a system component calledIOMobileFrameBuffer
.
This time, that was it: just one bug squashed, officially denoted CVE-2016-4654.
Apple, as is its custom, isn’t saying much about what was fixed, except that:
An application may be able to execute arbitrary code with kernel privileges… A memory corruption issue was addressed through improved memory handling.
As we’ve mentioned before, a kernel-level RCE bug is a double gift to crooks, because software that runs inside the kernel isn’t subject to the same sandboxing limitations as a regular app.
Indeed, the kernel is responsible for deciding which apps run in the first place, what they’re allowed to do, and which other apps and online services they’re allowed to interact with.
An RCE that applies to a single app is like hacking into one set of traffic lights in a busy metropolitan area; a kernel RCE is more like hacking into the central server that controls all the traffic lights at every intersection in the city.
Jailbreak!
As far as we can tell, the bug that’s been closed off was discovered and used by Team Pangu, a crew of jailbreaking experts.
Jailbreakers try to find and exploit iOS bugs, not to commit crimes but simply to liberate their iPhones from Apple’s “walled garden,” by which you are forced to shop at the App Store only.
The aim of a jailbreak is to open up iPhones so they’re more like Android or Windows Phone devices: locked down by default, but ready to be tweaked for download freedom when you want to go off-market.
Ironically, off-market apps not only include poorly-tested apps that are best avoided (and sometimes even outright malware), but may also include highly-desirable security tweaks that vendors have been slow to offer, or useful security tweaks that are unavailable in the official marketplace.
Technically, of course, a hole that jailbreakers use until Apple fixes it is a zero-day, because there were zero days during which you could have been patched in advance.
As far as we know, no crooks were using Team Pangu’s hack, but a security hole is a security hole, leaving Apple little choice but to push out a patch.
What to do?
As always, our advice is, “Patch early, patch often.“
But we nevertheless wish that Apple would come to the jailbreaking party, even though we’d continue to recommend that you avoid untrusted, off-market apps.
We suspect that Apple would benefit both the community and itself by offering an official route to jailbreaking – a route which could form the basis of independent invention and innovation in iDevice security by an interested minority.
What do you think? Have your say in the comments below…
Apple. Image courtesy of Lester Balajadia/Shutterstock.