Apple accidentally re-introduced a vulnerability in its latest operating system, iOS 12.4, that had been previously fixed in iOS 12.3.
Apple iOS Patch- Apple’s most recent operating system update, iOS 12.4, accidentally unpatched a fix that had been issued in a previous update — leaving devices vulnerable to code execution and privilege-escalation attacks. The flaw also allows phones to be jailbroken — and a public jailbreak has just been released to take advantage of it on phones running the latest version of iOS.
The blunder, first reported by Motherboard, means that Apple devices that are fully updated to the most recent iOS version are open to a vulnerability that had previously been patched in Mayas part of the iOS 12.3 update.
The flaw, (CVE-2019-8605), a use-after-free issue existing in the kernel, could enable a malicious application to execute arbitrary code with system privileges in iOS devices, including the iPhone 5s and later, iPad Air and later, and the iPod touch sixth generation.
The bug was initially discovered by Google Project Zero research Ned Williamson, who after the initial patch published an exploit for iOS 12.2, dubbed “SockPuppet,” that utilized the vulnerability to “achieve the kernel_task port on iOS 12.2 on [the]iPhone 6S+.”
While Williamson’s exploit offered the ability to jailbreak in iOS 12.2, on Aug. 18 a hacker under the alias “Pwn20wnd” on Github released various fine-tuned jailbreaks for the latest version of iOS, based on SockPuppet.
After its release, iPhone users flocked to Twitter to show their successful attempts at jailbreaking their own phones — a method to escape Apple’s limitations on what apps and code can run on the iPhone. It’s useful for those wanting to install custom code, add features or perform security research outside the purview of the Apple ecosystem.
“You will have to upgrade to iOS 12.4 if you are on iOS 12.3 to use the latest jailbreak – Enjoy,” said Pwn20wnd on Twitter.