iOS vulnerability that let you jailbreak your iPhone is once again dead
The iOS vulnerability that made it possible for users and hackers to jailbreak fully up-to-date iPhones and iPads is no more, following an update Apple released on Monday that patches the highly unusual bug.
The security advisory accompanying the release of iOS version 12.4.1 says it patches a kernel vulnerability that allows malicious apps to execute code that runs with the highest of privileges. (The use-after-free vulnerability was first fixed in iOS 12.3.) Then, last weekend, researchers noticed that version 12.4, released in June, was once again vulnerable. Jailbreak enthusiasts—who like the freedom that such vulnerabilities permit—quickly capitalized on the Apple developer mistake by releasing exploits that worked on fully patched devices.
Jailbreaking phones allows users to do all kinds of things that aren’t normally possible, including installing unauthorized apps. But that freedom can potentially work to the favor of malicious hackers. Jailbreaking may weaken iOS protections that prevent an app from reading or modifying another app’s data.
Over the years, publicly known jailbreaks have grown increasingly rare. The jailbreak discovered last weekend was all the more unusual because it was the result of a flaw Apple developers already knew of and, indeed, had already fixed. That vulnerability—tracked as CVE-2019-8605—was originally found by Google researcher Ned Williamson. Somehow, the same flaw appears also to have been reintroduced into macOS version 10.14.6, according to an advisory that was published on Monday for a supplemental update of the OS.
Apple’s Monday advisories credited a jailbreak researcher who goes by the handle Pwn20wnd with the discovery of the bug regression in both iOS and macOS. On Twitter, the researcher confirmed the mobile update effectively killed the jailbreak. While the researcher advised people to “Stay on iOS 12.4!” Ars recommends everyone update as soon as possible.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.