Apple Patches Reintroduced Flaw That Enabled JailbreakingBlock Update to Keep Jailbreaking - But Do So At Your Peril, Expert Warns
Apple released a patch on Monday to fix a flaw previously expunged from its iOS codebase, only to accidentally reintroduce it. The flaw is unusual in that it enables iOS enthusiasts to jailbreak their up-to-date devices - an increasingly rare opportunity that allows users to modify the operating system and install whatever software they'd like.
What is perhaps most extraordinary is that the situation occurred at all. In May, Apple issued a patch for iOS 12.3 that fixed a kernel memory vulnerability found by Google Project Zero’s Ned Williamson. He published a “SockPuppet” exploit for the bug, which worked on iOS 12.2 and some prior versions of the operation system.
Such would appear to have been the decline and fall of SockPuppet. But in June, Apple reintroduced the bug in iOS 12.4, although the error doesn't appear to have been quickly spotted.
Summertime for Jailbreakers
Together with the Monday security update, Apple publicly credited Weaver for his assistance, as well as Williamson for discovering the original bug, designated CVE-2019-8605. Apple also fixed the flaw in macOS Mojave version 10.14.6.
I can confirm the exploit was patched in iOS 12.4.1 - - Stay on iOS 12.4!— Pwn20wnd is reviving 0-Days (@Pwn20wnd) August 26, 2019
Apple pushes updates to iOS, and users are prompted to accept the update. Generally, unless users want to take on the additional security risks that come with jailbreaking a phone, users should apply the update immediately. Anyone seeking to jailbreak their devices, however, will have to block the update, which is iOS 12.4.1.
Living on the Edge
Jailbreaking allows root access to an iPhone, which Apple tries to prevent. Jailbreaking also lets users circumvent Apple’s security protections and install apps that are outside of the App Store - Apple's so-called "walled garden." But the same vulnerabilities that facilitate a jailbreak could also be abused by someone with malicious intent to compromise a jailbroken device, or a device with the potential to be jailbroken - for example, if it's running iOS 12.4.
Having access to a jailbreak that works on up-to-date Apple devices is highly sought after by governments and fetches a high price from vulnerability brokers. Public jailbreaks, along the lines of what Weaver released, are very rare for iOS these days.
"People are asking me how real the threat is that someone will incorporate the iOS 12.4 jailbreak into a malicious App Store app. Well let me just say that as far as I remember there was never before source code for a jailbreak publicly available before it was patched."
The existence of a viable jailbreak means risk. Over the last week or so, attackers could have tried to slip the jailbreak code into an app and publish it to Apple’s App Store. Apple does review apps for security and other quality-control issues, but those reviews aren’t foolproof. Hence in theory at attacker might trick a user into downloading a backdoored app that then gives the attacker remote access to a victim's device or data.
Apple security expert Stefan Esser wrote on Twitter soon after the latest jailbreak became public that “people are asking me how real the threat is that someone will incorporate the iOS 12.4 jailbreak into a malicious App Store app. Well let me just say that as far as I remember there was never before source code for a jailbreak publicly available before it was patched.”
For years, Apple played a rolling cat-and-mouse game with talented researchers who would probe the latest versions of iOS, looking for a vulnerability or a chain of vulnerabilities that would lead to a jailbreak.
In the early days of iOS, jailbreaks appeared with some frequency. But Apple has improved iOS code quality significantly in recent years, and arguably it's harder than ever now for researchers to find exploitable flaws that they could chain together to facilitate a jailbreak.
Apple has also been trying to get researchers to report these flaws to it directly, and quietly. Three years ago, the technology giant launched a bug bounty program that pays researchers for the type of information that could be used for a jailbreak. Recently, Apple dramatically increased the payouts on offer and began allowing anyone to participate (see Apple Expands Bug Bounty; Raises Max Reward to $1 Million).
The top bounty is now $1 million for a persistent, zero-interaction flaw on either iOS or macOS. Apple’s previous bounty for that type of flaw was $200,000. As part of the revised program, Apple will also provide vetted researchers with prerelease software and special versions of iOS without security protections that make it easier to find bugs (see Is Apple's Top $1 Million Bug Bounty Too Much?).