Apple released a security fix in its release of iOS 15.6.1 in August of last year that was said at the time to fix two major security vulnerabilities. Unfortunately, while the update blocked a specific way of exploiting the flaws, it didn’t address the root cause of the security hole. One of the exploits could have allowed a rogue app to execute arbitrary code with kernel privileges. Happily, Apple’s iOS 16.5 update does actually provide a fix, even if it is nearly 10 months later.
When Apple released iOS 15.6.1 back in August, it said the update fixed the following:
Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.
The security flaw has been exploited out in the wild, by an attack name “ColdIntro.” Apple had indeed patched iOS against the ColdIntro attack but failed to fix the actual security hole that ColdIntro exploited. While that specific attack had been parried, security researchers at both Jamf and Google’s Project Zero saw similar attacks that succeeded even after the update had been applied. These new attacks made use of a ColdIntro variation, named ColdInvite.
For example, a bad actor managed to fool the mobile carrier Vodafone into disabling the plan of a targeted victim. The bad guy then sent a fake message to the victim telling them that to restore their plan they’d need to install the My Vodafone app. While the Vodafone app is a genuine app, the link sent to the victim was to a fake version of the app, containing malware.
The ColdInvite attack gains access to the iPhone’s Display Co-Processor (DCP), using this access to then gain access to the Application Processor (AP).
Further analysis showed that while Apple had blocked one attack vector, it had not actually fixed the vulnerability used by the attack(s). Jamf was kind enough to report this to Apple, which finally fixed the vulnerability in the iOS 16.5 release.
Luckily, the ColdInvite exploit doesn’t immediately provide access to the iPhone. Instead, Jamf says that ColdInvite merely gets an attacker closer to being able to take over the targeted iPhone.
[Both exploits allow] an attacker to exploit other vulnerabilities within the AP Kernel. Though it’s not sufficient for a full device takeover on its own, this vulnerability can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel, allowing a bad actor to get closer to realizing their ultimate goal of fully compromising the device.
Google noted that the bad guys would need to fool a victim into installing their poisoned app, meaning that an attack will likely be targeted at specific individuals. Therefore the risk to the average iPhone user is likely quite low. That said, installing the iOS 16.5 update helps to ensure that the attack’s method of compromising one processor in order to gain access to another can’t be performed on your device, making it well worth installing the update as soon as possible.
(Via 9to5Mac)