Apple released a security update to prevent malware and spyware vendors from exploiting a bug.
On Monday (26 August), Apple released an iOS security update that fixes an old bug that was recently reintroduced in a software update.
The bug was fixed in the iOS 12.3 update in May 2019, but was accidentally unpatched in iOS 12.4 last month. The latest update, iOS 12.4.1, amends that error.
Apple said: “A malicious application may be able to execute arbitrary code with system privileges. A use after free issue was addressed with improved memory management.”
Google Project Zero security engineer Ned Williamson discovered the original bug. The company thanked an individual referred to as Pwn20wnd for their assistance in patching the new security flaw.
According to ZDNet, Pwn20wnd released a public exploit based on Williamson’s bug, enabling users to jailbreak up-to-date iOS devices, giving users complete control over their iPhones.
Apple’s latest update revokes this ability. While it may benefit some users who want to customise their devices and download otherwise prohibited apps, malware vendors can also use Pwn20wnd’s jailbreak to embed code inside malicious apps, granting them full control over a device.
Spyware vendors can also take advantage of jailbreak vulnerabilities, exploiting flaws to gain access to a user’s messages, location and phone calls without being detected.
In April 2019, Apple had to revoke a developer’s enterprise certificate after security research firm Lookout discovered a Spyware app targeting iOS users. This disguised app could silently siphon contacts, audio recordings, photos, videos and real-time location data.
Following the latest patch, Apple has advised users to update their devices as soon as possible. The update is available for the iPhone 5s and later, the iPad Air and later, and the iPod Touch 6th generation. The same kernel vulnerability previously affected macOS, but was fixed in macOS 10.14.6.