Thursday, July 21, 2016

iOS 9.3.3 for iPhone and iPad: update sooner rather than later

Update 24-July: to date I am not aware of any public exploits for these vulnerabilities. The only exploits I am aware of reside with the discoverer at Talos, and will not be publicly released. Still, the damage that could be done if a criminal hacker worked out an exploit is significant enough that this is a must-install update. 

Apple released software updates for many of its products this week - iOS iPhones, iPads and iPods; OS X for Mac laptops, watchOS for Apple Watch; tvOS for Apple TV; iTunes for Windows; and Safari web browser. This is a case where you might want to update sooner rather than later, at least if you use an iPhone or iPad.

About a year ago, an Austin researcher found a flaw in a core component of Android, which became known as the StageFright vulnerability. This component was responsible for processing images and videos, and could be exploited by merely sending a maliciously-designed MMS message. The recipient did not have to view the message - the phone would process the image automatically once it was received.

This Spring, a researcher with Cisco's Talos team found a very similar flaw in ImageIO, a component of the operating system that is used for all image handling. Just like StageFright, ImageIO has what the security profession calls a Remote Code Execution, or RCE flaw. A hacker can design a malicious image file that exploits this flaw to run any program or instructions they want. All they have to do is get you to open the image - which is as easy as sending the image via MMS message so that your phone automatically loads the image and has it ready for you to see.

Unlike Android though, iOS is designed so every program runs in a "sandbox" - programs can only read their own memory, and cannot (usually) corrupt other programs or the operating system itself. So in theory exploiting ImageIO through a MMS message would allow a crook to read your private messages or send a message pretending to be you, or exploiting ImageIO in a browser might allow the crook to steal any passwords saved in your browser, but it cannot by itself take over your device.

Alas several other flaws fixed in the same update would allow a hacker to execute code with kernel privileges. This means that once a malicious program has a foothold on your device, it could then turn around and use another technique to jump out of the sandbox and take full control of a device.

The saving grace is that, while Android devices require that updates be provided by your handset maker and your cellular provider (which may or may not make that update available to you), Apple sends updates straight to your device.


What do you need to do?


Consumers: Open your iPhone or iPad's Settings tool and go to General -> Software Update. If you are running iOS 9.3.3 (the latest update as of this writing), your device will show that it is up-to-date. If you are running an older version, your device will show an update is available. Install it!

Security professionals: Individual vulnerabilities can no longer be viewed alone (to be fair, that has long been the case, but this is a clear example of why). If an attacker can exploit CVE-2016-4631 to execute arbitrary code with limited privileges, then exploit CVE-2016-1863 (for example) to escalate to root, the result is RCE as root, without requiring any interaction by the victim user.