Image credit : Macworld
Two significant security flaws were reportedly fixed by Apple in iOS 15.6.1 back in August of last year, one of which might have allowed a malicious app to execute arbitrary code with kernel privileges (i.e., do Very Bad Things). However, it has since been discovered that the more critical vulnerability wasn’t really patched.
Apple did successfully prevent one method of exploiting the weakness, but it wasn’t until last week’s iOS 16.5 update, around nine months later, that the root problem was fixed.
Apple’s security update 2022
In August 2022, Apple released iOS 15.6.1, noting that it “provides important security updates and is recommended for all users.”
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
This was indeed actively exploited by an attack dubbed ColdIntro. Apple patched iOS against ColdIntro.
But the vulnerability still persisted
Although Apple stopped the specific ColdIntro attack path, security researchers at Jamf and Google’s Project Zero observed that comparable attacks continued to succeed even after the update. These recent assaults made use of ColdInvite, a variant of ColdIntro.
In one instance, an attacker was successful in tricking mobile carrier Vodafone into thwarting a target’s strategy. The victim was then asked to download the My Vodafone app (a real program) in order to restore the plan in a phony message that was delivered by the assailant. The infection was present in a false version of the software that was linked to.
In order to access the Application Processor (AP), the assault first gains access to the Display Co-Processor (DCP).
How serious is this?
Analysis showed that Apple has not patched the vulnerability that allowed for similar assaults. Apple was informed by Jamf, and the firm corrected the flaw in iOS 16.5 on its own initiative.
[Both exploits allow] an attacker to exploit other vulnerabilities within the AP Kernel. Though it’s not sufficient for a full device takeover on its own, this vulnerability can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel, allowing a bad actor to get closer to realizing their ultimate goal of fully compromising the device.
Although “an application may be able to execute arbitrary code with kernel privileges” can be interpreted as “a rogue app can do anything it likes to the phone,” that isn’t the case in this instance. According to Jamf, ColdInvite only moves a potential attacker one step closer to being able to control the iPhone.
This is more likely to be used as part of a targeted attack on particular people since, according to the real-world example Google provided, the bad guys would need to trick you into installing their software.
Also read : Clever malware steals data covertly from Windows PCs: Researchers
However, Jamf warns that the strategy of compromising one CPU in order to access another will only become more prevalent, making it always worthwhile to update iOS as soon as possible.
You can safely wait for a fix if, however, you depend on Apple’s Lightning to USB 3 adaptor (which is broken by iOS 16.5) as long as you refrain from clicking links or opening unexpected attachments.