Institute For Ethical Hacking Course and Ethical Hacking Training in Pune – India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan
Credits: The Register
Apple has issued an update to address a potentially serious security flaw it re-opened in the latest version of iOS.
Monday’s iOS 12.4.1 update contains a single fix: a patch to address CVE-2019-8605. The use-after-free vulnerability would let an application gain the ability to execute arbitrary code with system privileges. Credit for discovering the flaw was given to Ned Williamson from Google’s Project Zero team, who reported the flaw to Cupertino back in March.
This is not the first time Apple has had to patch CVE-2019-8605. The vulnerability was first addressed with the iOS 12.3 update in May of this year. Users running iOS 12.2 had been using the vulnerability as the catalyst for jailbreak procedures that allow users to install and run non-approved software on their iPhones and iPads.
The flaw was thought to have been closed for good, up until last week when word broke that the unc0ver jailbreak tool was able to unlock 12.4 handsets by once again exploiting the flaw.
It seems Apple had unintentionally rolled back the 12.3 patch that addressed CVE-2019-8605 and the jailbreak exploit for the bug that had last worked in iOS 12.2 was once again succeeding on new handsets.
Jailbreaks aside, the re-exposure of the bug was embarrassing for Apple and potentially dangerous for end-users. The vulnerability could also have been targeted by criminals to install malware on iOS devices by disguising their apps as legitimate, or by injecting attack code into legitimate apps.
In releasing the fix, Apple made a point of thanking pwn20wnd, the developer of the unc0ver tool.
Those who don’t want to jailbreak their iPhones or iPads would be wise to make sure they are running iOS 12.4.1 or later.
Apple also put out updates to address the same vulnerability in macOS and tvOS. These operating systems are considered significantly less of a risk to the bug as Apple TV is largely a walled garden and macOS would require code already be running locally to exploit, at which point it’s game over anyway.
www.extremehacking.org
Sadik Shaikh | Cyber Suraksha Abhiyan, Ethical Hacking Training Institute, CEHv10, CHFI, ECSAv10, CAST, ENSA, CCNA, CCNA SECURITY, MCITP, RHCE, CHECKPOINT, ASA FIREWALL, VMWARE, CLOUD, ANDROID, IPHONE, NETWORKING, HARDWARE, TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, CSA Certified SOC Analyst, CTIA EC-Council Certified Threat Intelligence Analyst, Center For Advanced Security Training in India, ceh v10 course in Pune-India, ceh certification in pune-India, ceh v10 training in Pune-India, Ethical Hacking Course in Pune-India