Categories SecurityTech News

Apple patches iOS jailbreaking vulnerability — again

Apple has released a patch that fixes a vulnerability in the kernel of iOS that allows for public jailbreaking and arbitrary code execution via malicious applications. The vulnerability, (CVE-2019-8605), was initially discovered by Ned Williamson of Google Project Zero. Williamson was able to create an exploit, dubbed “Sockpuppet” by the researcher, and used the exploit to reach "the kernel_task port on iOS 12.2" on his iPhone 6s+. This exploit was then fixed in Apple’s release of patch 12.3, but as Vice’s Lorenzo Franceschi-Bicchierai reported, the most recent 12.4 patch wound up reintroducing the vulnerability to iOS systems.

As Franceschi-Bicchierai reported Pwn20wnd, a hacker known for iOS jailbreaking, published what became the first public jailbreak in years. The jailbreak proved that 12.4 patch from Apple was flawed and it sent the company into emergency fix mode. According to Pwn20wnd’s Twitter activity, the hotfix took care of the issue. In a tweet, Pwn20wnd stated, “I can confirm the exploit was patched in iOS 12.4.1 — Stay on iOS 12.4!” Considering that jailbreaks are Pwn20wnd’s source of income, they understandably want people to stay on the exploitable 12.4 iOS version. For more security-minded individuals, this is idiotic advice and should be ignored unless you want to be vulnerable to exploits.

Apple is trying to put this iOS jailbreaking vulnerability incident behind them. Threatpost’s Lindsey O’Donnell reports in her own article covering the patch/unpatch situation that the company is not responding to requests for comment. It is understandable from a public relations perspective, as Apple likes to posture itself as a security-minded company (which leads to myths among its user base that Apple products are immune to hacking). When you bungle an iOS patch by reintroducing a historically significant flaw like this, sometimes the best strategy is to ignore the media for a while.

In any case, this proves that patching is only as efficient as those who work on the patches.

Featured image: Flickr / Toshiyuki IMAI

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Exchange 2013/2016/2019: Configure your receive connectors correctly

Ah, the good old days — when Exchange 2010 was king. But with each new…

13 hours ago

CCPA and GDPR: Similarities and differences you must know

The GDPR and the CCPA are both aimed at protecting privacy. Although many similarities exist…

18 hours ago

How to manage and automate Azure DevOps using Azure CLI

Azure DevOps is fast becoming the next big thing. This Azure DevOps Quick Tip shows…

3 days ago

Trench Tales: When you really need to retire that messaging platform

That old messaging platform has served you well, but maybe it’s time to move on.…

4 days ago

Customize PowerShell with default parameters and save time

Microsoft makes it easy to set up default parameters for PowerShell. And while they may…

4 days ago

Secret Manager security service now available for Google Cloud

Secret Manager, new from Google Cloud, is out in in beta. It provides a secure…

4 days ago