Apple accidentally unpatches iOS vulnerability, hacker creates new jailbreak

Posted:
in iOS edited August 2019
Hackers have for the first time in years released a publicly available jailbreak for iPhones running up-to-date software after Apple mistakenly unpatched a critical vulnerability in its most current iOS release.

unc0ver
Researcher "pwn2ownd" on Monday released a new version of the "unc0ver" jailbreak with support for iOS 12.4.


Apple's iOS 12.4, released in July, contains a bug that was discovered by Google security researchers and subsequently squashed in iOS 12.3, reports Motherboard.

Ned Williamson, who is credited as working with Google's Project Zero team to uncover a number of iOS flaws, confirmed the once-patched exploit is now in play.

"A user apparently tested the jailbreak on 12.4 and found that Apple had accidentally reverted the patch," Williamson said in a statement to Motherboard.

Apple's accident opens the door to jailbreaks and the execution of malicious code, the report said. Security researcher Jonathan Levin told the publication that because iOS 12.4 is current, and the only version available from Apple, many iPhones and iPads running anything other than iOS 12.3 are vulnerable. Levin went on to say that the bug is a 100+ day exploit, or one that was discovered over 100 days ago.

Capitalizing on Apple's mistake, researcher "pwn2ownd" released a free jailbreak -- technically a new version of their ongoing project "unc0ver" -- for iOS 12.4 on Monday, with a number of iPhone owners later reporting the software as functional. He told Motherboard that a bad actor could leverage the snafu to "make a perfect spyware," adding that "it is very likely that someone is already exploiting this bug for bad purposes."

Pwn2ownd offered up the example of a malicious app that exploits the vulnerability to escape Apple's iOS sandbox, allowing it to glean sensitive user data. Alternatively, a malicious webpage might combine the same bug with a browser exploit to achieve similar effect.

Apple has yet to comment on the issue.

Comments

  • Reply 1 of 16
    racerhomie3racerhomie3 Posts: 1,264member
    Fools, who think to get out of apple’s restrictions should realize ,there are bad actors around the globe willing to make money from your foolish decisions. If you love your customizability & piracy a lot please use android & windows. Stop spending $1000 on iPhones & get that $50 freedom phone. Just remember, those freedoms have consequences. 
    edited August 2019 Andy.Hardwakevirtualshiftwatto_cobra
  • Reply 2 of 16
    markbyrnmarkbyrn Posts: 661member
    Might have mentioned that the vulnerability does not affect newer hardware running on the A12 chip - at least in terms of allowing a viable jailbreak.  Even Forbes and it's hysterical "Apple's Unforgiveable Mistake" article noted it.  
    edited August 2019 muthuk_vanalingamcaladanianfrantiseklordjohnwhorfincornchipwatto_cobra1stArina14
  • Reply 3 of 16
    Fools, who think to get out of apple’s restrictions should realize ,there are bad actors around the globe willing to make money from your foolish decisions. If you love your customizability & piracy a lot please use android & windows. Stop spending $1000 on iPhones & get that $50 freedom phone. Just remember, those freedoms have consequences. 
    What does any of that rhetoric actually mean?  Jailbreaking has been a thing for almost as long as the iPhone has been a thing.  None of that doom and gloom you're implyng has occurred any more than it has occurred with non-jailbroken devices.  You're kinda just spreading FUD.  If someone buys an iPhone and wants to jailbreak, more power to 'em.  It's their money, their phone, their choice.  Since Apple has incorporated a lot of features from the jailbreak community, it's a less attractive proposition these days.  That doesn't mean we should resort to fear mongering if we don't agree with jailbreaking.  
    markbyrn said:
    Might have mentioned that the vulnerability does not affect newer hardware running on the A12 chip - at least in terms of allowing a viable jailbreak.  Even Forbes and it's hysterical "Apple's Unforgiveable Mistake" article noted it.  
    Outside of being embarrassing, it's really not that big of a deal.  Jailbreaking was never a huge thing.  This won't make it any more significant.  They will repatch the unpatch and life will continue on unabated.  Emphasis on the A12 isn't really that important either considering the vast majority of iPhones in the wild don't run on the A12... on the R, S, and the Max.  
    edited August 2019 napoleon_phoneapartmuthuk_vanalingamjohnbearsuperklotonuraharaCarnagechemengin1singularity
  • Reply 4 of 16
    Well, the Tibetan monk walk is still alive. Two steps forward, one step backwards.
    PetrolDavemuthuk_vanalingam
  • Reply 5 of 16
    knowitallknowitall Posts: 1,648member
    Hackers have for the first time in years released a publicly available jailbreak for iPhones running up-to-date software after Apple mistakenly unpatched a critical vulnerability in its most current iOS release.

    unc0ver
    Researcher "pwn2ownd" on Monday released a new version of the "unc0ver" jailbreak with support for iOS 12.4.


    Apple's iOS 12.4, released in July, contains a bug that was discovered by Google security researchers and subsequently squashed in iOS 12.3, reports Motherboard.

    Ned Williamson, who is credited as working with Google's Project Zero team to uncover a number of iOS flaws, confirmed the once-patched exploit is now in play.

    "A user apparently tested the jailbreak on 12.4 and found that Apple had accidentally reverted the patch," Williamson said in a statement to Motherboard.

    Apple's accident opens the door to jailbreaks and the execution of malicious code, the report said. Security researcher Jonathan Levin told the publication that because iOS 12.4 is current, and the only version available from Apple, many iPhones and iPads running anything other than iOS 12.3 are vulnerable. Levin went on to say that the bug is a 100+ day exploit, or one that was discovered over 100 days ago.
    j
    Capitalizing on Apple's mistake, researcher "pwn2ownd" released a free jailbreak -- technically a new version of their ongoing project "unc0ver" -- for iOS 12.4 on Monday, with a number of iPhone owners later reporting the software as functional. He told Motherboard that a bad actor could leverage the snafu to "make a perfect spyware," adding that "it is very likely that someone is already exploiting this bug for bad purposes."

    Pwn2ownd offered up the example of a malicious app that exploits the vulnerability to escape Apple's iOS sandbox, allowing it to glean sensitive user data. Alternatively, a malicious webpage might combine the same bug with a browser exploit to achieve similar effect.

    Apple has yet to comment on the issue.
    A big snafu, or a request from the NSA?
    muthuk_vanalingamcornchip1st
  • Reply 6 of 16
    Fools, who think to get out of apple’s restrictions should realize ,there are bad actors around the globe willing to make money from your foolish decisions. If you love your customizability & piracy a lot please use android & windows. Stop spending $1000 on iPhones & get that $50 freedom phone. Just remember, those freedoms have consequences. 
    Pleeease... who wants a $50 freedom phone, when flip phones are cool and hip again.
    cornchipwatto_cobra
  • Reply 7 of 16
    MplsPMplsP Posts: 3,911member
    Oops!

    I remember when people would jailbreak their iPhones because they wanted to put their own lock screen on. Now I have a hard time finding half of the options in the settings app! 
    razorpit
  • Reply 8 of 16
    “Just when I thought I was out, they pull me back in”.
    -Michael Corleone
  • Reply 9 of 16
    This does indicate a breakdown somewhere in Apple's quality control and verification procedures.  This should not happen. 
    command_f
  • Reply 10 of 16
    dewmedewme Posts: 5,332member
    No way to sugar coat this breakdown in source code control. Definitely a screwup. 
    freshmakercommand_f
  • Reply 11 of 16
    Did it on on a old 6S+ and jailbreaking is still lame.
    watto_cobra
  • Reply 12 of 16
    So we've learned something more about Apple's regression testing.
  • Reply 13 of 16
    jcs2305jcs2305 Posts: 1,336member
    donjuan said:
    Did it on on a old 6S+ and jailbreaking is still lame.
    Then you don’t know what you are doing 😎. 
  • Reply 14 of 16
    It’s ridiculous that jail breaking is even needed.   Users ought to have freedom to install software from any source.  Like a Mac,  for iOS devices there are safer ways for Apple to secure things that preventing not Apple distributed software from running... which forced many to jailbreak.

    From a freedom perspective this is good.   
  • Reply 15 of 16
    It’s ridiculous that jail breaking is even needed.   Users ought to have freedom to install software from any source.  Like a Mac,  for iOS devices there are safer ways for Apple to secure things that preventing not Apple distributed software from running... which forced many to jailbreak.

    From a freedom perspective this is good.   
    It's a compromise isn't it. Personally, I like the security that comes with apps being pre-secanned by Apple's servers before they get anywhere my device and my data. YMMV.
  • Reply 16 of 16
    This does indicate a breakdown somewhere in Apple's quality control and verification procedures.  This should not happen. 
    This is a major screwup. Can't wait to hear Apple's response...this is too juicy!!!
Sign In or Register to comment.