Categories SecurityTech News

Apple patches iOS jailbreaking vulnerability — again

Apple has released a patch that fixes a vulnerability in the kernel of iOS that allows for public jailbreaking and arbitrary code execution via malicious applications. The vulnerability, (CVE-2019-8605), was initially discovered by Ned Williamson of Google Project Zero. Williamson was able to create an exploit, dubbed “Sockpuppet” by the researcher, and used the exploit to reach "the kernel_task port on iOS 12.2" on his iPhone 6s+. This exploit was then fixed in Apple’s release of patch 12.3, but as Vice’s Lorenzo Franceschi-Bicchierai reported, the most recent 12.4 patch wound up reintroducing the vulnerability to iOS systems.

As Franceschi-Bicchierai reported Pwn20wnd, a hacker known for iOS jailbreaking, published what became the first public jailbreak in years. The jailbreak proved that 12.4 patch from Apple was flawed and it sent the company into emergency fix mode. According to Pwn20wnd’s Twitter activity, the hotfix took care of the issue. In a tweet, Pwn20wnd stated, “I can confirm the exploit was patched in iOS 12.4.1 — Stay on iOS 12.4!” Considering that jailbreaks are Pwn20wnd’s source of income, they understandably want people to stay on the exploitable 12.4 iOS version. For more security-minded individuals, this is idiotic advice and should be ignored unless you want to be vulnerable to exploits.

Apple is trying to put this iOS jailbreaking vulnerability incident behind them. Threatpost’s Lindsey O’Donnell reports in her own article covering the patch/unpatch situation that the company is not responding to requests for comment. It is understandable from a public relations perspective, as Apple likes to posture itself as a security-minded company (which leads to myths among its user base that Apple products are immune to hacking). When you bungle an iOS patch by reintroducing a historically significant flaw like this, sometimes the best strategy is to ignore the media for a while.

In any case, this proves that patching is only as efficient as those who work on the patches.

Featured image: Flickr / Toshiyuki IMAI

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Moving a VM to a different virtual network in Microsoft Azure

Thinking of moving a VM to a different virtual network in Azure? It’s possible. Here’s how to avoid speed bumps…

11 hours ago

Safeguarding your digital identities in a hostile world

In today’s online world where everything is tracked and saved, safeguarding digital identities is crucial both for individuals and for…

16 hours ago

Exchange errors: Common problems and commonsense fixes

Exchange errors are the curse of every IT admin’s job. Here are some common issues you may face — and…

19 hours ago

Losing your edge? 7 free tools to keep you focused at work

Staying focused at work in an always-connected world is hard! Here’s how to use tech — and some free tools…

1 day ago

What’s next in the evolution of biometrics and facial recognition technology?

Facial recognition technology has matured to the point of being reliable — for better or for worse. What does the…

2 days ago

Locking down your Exchange server with cipher suites

Cipher suites are a set of algorithms you need to secure your environment, either by using SSL and TLS. Here’s…

2 days ago