Inside iOS 9.3.5: A detailed look at the biggest vulnerability in iOS history

Inside iOS 9.3.5: A detailed look at the biggest vulnerability in iOS history
This morning, Apple suddenly released iOS 9.3.5. The update log only contained a simple sentence: Provides important security updates, recommended for all users to install. In fact, the previous iOS 9.3.4 version was released to fix security vulnerabilities, and this iOS 9.3.5 involves the biggest vulnerability in iOS history. According to the information released by Apple to developers, iOS 9.3.5 fixes three security issues, namely: - CVE-2016-4655: WebKit vulnerability, triggered by user clicks - CVE-2016-4656: Kernel information leakage vulnerability

- CVE-2016-4657: Kernel memory corruption vulnerability. They are all 0-day vulnerabilities with extremely high quality, but this time, it is not just a few vulnerabilities... Leifeng.com interviewed the domestic Pangu and Nirvana jailbreak teams and learned that the day before Apple released this security update, the Citizen Lab of the Toronto Munk School of Global Affairs, which is committed to exposing large-scale surveillance tasks, released a detailed research report on the latest Apple 0-day vulnerabilities and named them "Trident" vulnerabilities. How awesome is this group of vulnerabilities? 1. All of these vulnerabilities are 0-day vulnerabilities, that is, before they are exposed, no one except the discoverer of the vulnerability knows about the existence of this vulnerability; 2. Users only need to click on the link sent by the hacker, and the phone will be remotely jailbroken, and the hacker will instantly obtain the highest authority of the phone; 3. With the highest authority, hackers can remotely operate and control the user's iPhone, view the phone camera, eavesdrop on the user's conversations and recordings, and view the user's application information. It can be said that they can do whatever they want. Simply put, hackers only need to use a link to completely control your iPhone, which is equivalent to "remote jailbreak"! This level of iOS vulnerability has always been a legend. People often talk about it, but no one has seen it until now... So why was this set of vulnerabilities exposed? The story started like this: DM557 (Chen Xiaobo), a core member of the Pangu team, restored the entire process of this "remote jailbreak": 1. The attacker first sent a link to the target task via SMS text message. When the target task clicks the link, it will visit a website of the attacker. 2. An attack program for Mobile Safari will be placed on the attacker's website. This program contains a 0day vulnerability in the MobileSafari Javascript engine. 3. After the attack program is executed, the attacker will obtain the execution permission of the mobile phone through the browser. At this time, the attacker's permission is only imprisoned in the sandbox. 4. Next, the attacker obtains the kernel execution permission through two kernel vulnerabilities (a kernel information leakage vulnerability + a kernel code execution vulnerability). 5. After obtaining the kernel execution permission, the attacker has completed the jailbreak of the mobile phone. At this time, he will turn off some iOS security protection mechanisms, such as enabling the reading and writing of rootfs, turning off code signing, etc. 6. After the attack is completed, the intruder becomes the "master" of the phone and can monitor the phone's communications and traffic. As a jailbreak master, DM557 did not hesitate to praise this jailbreak. This JavaScript vulnerability can attack the iOS system when the system is turned on, that is, when the system restarts, it will go through the attack process again, which is a bit similar to the previous "perfect jailbreak". Gao Xuefeng, the head of the 360 ​​Nirvana team, pointed out that remote jailbreaking was once achieved in the early days of iOS, but the last time was iOS 4.3.3, which was a thing of the past in 2011. Gao Xuefeng emphasized: iOS almost always adds a very powerful security protection mechanism in every major version upgrade. Now five years have passed, and the difficulty of remote jailbreaking iOS has increased exponentially, especially after iOS 7, this level of vulnerability is almost extinct, so the difficulty of remote jailbreaking is simply not the same. In conclusion, the iOS world has produced a vicious "plague" that can destroy your iPhone in a matter of minutes, but fortunately, we already have a vaccine to resist this "plague", which is iOS 9.3.5, so you must upgrade! However, who knows if there are other vulnerabilities as vicious as "Trident" surging underground, sweeping the world again when people are caught off guard?

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.

<<:  Are iPhone and iOS really safe? New zero-day vulnerability completely puts an end to the "myth"

>>:  IMF: Half of jobs in developed Asia-Pacific economies will be affected by artificial intelligence

Recommend

How much does it cost to develop a pregnancy and childbirth app in Pingliang?

Mini programs provide convenience for publicity a...

Apple's chief software engineer: Why iOS and macOS will never merge

On June 4, 2018, Apple held its annual WWDC devel...

Why do birds migrate?

Birds migrate to different areas to breed or over...

Learn how to promote new products from "What's Peppa Pig?"

When I woke up early last Friday (January 18), I ...

Top ten keywords for new media in 2018!

The year 2018 has passed by in a flash. The prosp...

【WP Development】Realize the "Shake" function

Although I log in to WeChat once every eight mont...

iOS scams collection

When I was making my first iOS app, I encountered...

Why most companies fail in digital transformation

I’ve said before that most digital business trans...