iOS Users: Apple Says Update Immediately
There is a large and growing body of evidence that hackers and their attacks are increasing in sophistication. Hardly a month goes by that there isn’t a headline somewhere in the world about a new attack vector. The level of innovation and cunning is staggering.
Apple used to be largely immune to such attacks, a fact brought about by virtue of a greater emphasis on security, and because Apple’s share of the desktop and laptop market was quite small, and generally seen as not worth going after on a large scale. There were bigger, easier targets.
That changed with the release of the iPhone, and suddenly Apple found itself increasingly targeted by hackers from around the world.
Recently, an exotic, highly complex chained attack was uncovered that relies on a trio of “zero day exploits,” which are as bad as they come. Note that these attacks were found being used in the wild, so this is not some theoretical musing about what could happen. It’s an attack that has already occurred.
The attack is not something that a casual hacker could pull off, which means that there isn’t a huge number of people who could do it, but the fact that it happened at all sent Apple scrambling to release an emergency patch that addressed all three zero day vulnerabilities found.
The attack works like this:
A link (URL) is sent to the user via SMS. This link opens a web page which loads JavaScript, and executes a binary inside the Safari web browser.
This leads to the second event in the zero day chain, where another exploit allows it to bypass KASLR protections that would normally prevent malware from identifying where the core of the OS is found in memory.
Armed with this information, the third exploit in the chain kicks off, which corrupts the memory in the kernel. This incapacitates iOS, leaving it incapable of blocking software from running that hasn’t been signed by Apple. From here, the hacker has unfettered access to the phone.
All that is to say if you’re running a version of iOS older than 9.3.5, patch it immediately, or risk losing control of your device.