Apple Fixes Jailbreak Bug For the Second Time
Apple has released a new iOS security update designed to fix a jailbreak bug which it previously addressed and then accidentally rolled back.
The flaw itself, CVE-2019-8605, is a use-after-free vulnerability credited to Ned Williamson working on the Google Project Zero team.
The flaw, which could allow an attacker to execute arbitrary code with system privileges, was first reported to Apple by Williamson back in March. Some Apple users were apparently exploiting it to jailbreak their devices in order to run unsanctioned software on their kit.
Apple subsequently patched the bug with its 12.3 iOS version in May. However, earlier this month it unwittingly reintroduced the issue with version 12.4.
Security researcher Pwn20wnd released a free public jailbreak tool exploiting the issue.
Now the problem has been fixed for the second time thanks to the 12.4.1 update released by Apple on Monday. The Cupertino giant even thanked Pwn20wnd “for their assistance” in its update.
The patch doesn’t just mitigate the risk of users jailbreaking their iPhones and iPads. The vulnerability could also theoretically have been exploited by hackers to steal data from victims’ devices.
Public jailbreaks are pretty rare, given that the community usually tries to keep any details secret so Apple doesn’t catch wind.
However, a Chinese security researcher in January released details of a remote jailbreak for iOS 12 on the iPhone X.
Alongside iOS 12.4.1, Apple released tvOS 12.4.1, watchOS 5.3.1 and macOS Mojave 10.14.6.
Source: Information Security Magazine