Severe vulnerability in iOS and OS X can put down almost any Apple device

Apple is at it again releasing buggy and vulnerable software. This time it come in the form of a flaw which could allow elevation of privileges for malicious code and bypassing of Apple’s security features.

“The flaw was discovered by Pedro Vilaça, a security researcher for SentinelOne, and was reported to Apple back in December of last year. It exploited the way some special binaries and tasks act in iOS and OS X and allowed an attacker to bypass Apple’s System Integrity Protection (SIP) feature. This latter technology limits the ability of a root account to access protected parts of iOS and OS X. But some programs, like the ones that update your device’s operating system retain privileges – and its these that are exploited by this flaw which is then allowed to run arbitrary code on the device and bypass SIP.

The researcher said that this flaw could be exploited as part of a so-called “bug chain”, where successive security flaws are used to penetrate deeper into the OS. According to him, this exploit would eventually allow an attacker to not only run arbitrary code but also load unsigned kernel code. This essentially means the device is fully compromised. Vilaça explained at a security conference that the exploit is “100 percent reliable and stable […] it does not crash machines or processes”.

The good news is that it doesn’t seem to have been used in the wild – but that’s not a hundred percent certain, and as Vilaça notes, it’s exactly the type of exploit a nation-state or intelligence agency would use.

Luckily, the vulnerability which was recently disclosed by Google’s Project Zero, has been patched as of iOS 9.3 and OS X El Capitan 10.11.4. In other words, this is another big reason for you to upgrade to the latest version of your operating systems.” – Neowin.net

Looks like its time for you to snag iOS 9.3.

Advertisements