A week ago, Apple pushed out a small but critical security patch for iOS.
That update was iOS 9.3.5, and it fixed a trifecta of previously unknown vulnerabilities that had allegedly been combined to produce a megaexploit.
(If you have an iDevice, go to Settings | General | Software Update right now, just to make sure you’re up-to-date.)
Apparently, the crooks had three zero-day security holes up their sleeves, and they stitched them together something like this:
- Trick Safari’s content-rendering engine, called WebKit, into silently running unauthorised program code. (No going through the App Store or popping up any sort of user approval.)
- Use the implanted code to provoke a kernel bug to locate an exploitable kernel component in memory.
- Attack the now-located vulnerable kernel component to get kernel-level access to the device.
As we explained last week:
Malware that [arrives] just by clicking a web link and then [boosts] itself automatically to kernel level [is] effectively be a “one-click jailbreak.”
A jailbreak is where you sneakily bypass the very security controls that are supposed to stop you bypassing the security controls, so you no longer have to play by Apple’s security rules. Notably, you are no longer restricted to the App Store, so you can follow up a jailbreak by installing whatever software you like.
The urgency of the iOS update was underscored by the claim that the zero-days in this auto-jailbreak attack were acquired from a company that specialises in selling exploits, and used in the wild against a human rights activist called Ahmed Mansoor.
Exploits repurposed
When zero-days become known, there’s not only a chance to figure them out in order to patch them quickly, as Apple did with iOS 9.3.5, but also an opportunity for other crooks to adopt them as well, and to use them for yet more cybercrime.
Worse still, there’s also a chance that new attackers will figure out how to repurpose a zero-day attack from one operating system or application so that it works against other versions, too.
After all, few software products are truly brand new: they’re usually derived, often substantially, from existing source code, and thus share both features and holes.
So it’s not surprising to find that the bugs behind the recent “triplesploit” in iOS also exist in Mac OS X, because Apple’s two operating systems are based on the same internals, albeit built in different ways for different hardware.
Exploits against iOS don’t always translate into exploits against OS X and vice versa, of course, just as phrases in one language don’t always translate directly into other languages. (If a Dutchman gives you a pair of scissors, for example, you’ll literally get two of them, because it’s just “a scissor” in Dutch.)
Nevertheless, in this case it looks as though the bugs aren’t merely shared by iOS and OS X, but are exploitable in both, give that Apple just pushed out two OS X updates:
- Safari 9.1.3. This fixes the WebKit vulnerability listed above.
- Security Update 2016-001 El Capitan/2016-005 Yosemite. This fixes the two combinable kernel holes above.
Note that if you have OS X 10.11 El Capitan, you’ll only see one update to download and install, because the 2016-001 update includes the new version of Safari.
What to do?
Given the likely exploitability of the holes that are fixed by these updates, and the story behind them, we’re advising Mac users to update without delay.
Click on the Apple menu in the top left of your screen, then choose About This Mac and click the Software Update… button.
Do it now!
Catherine
What about older Macbook Pros running Mavericks? And old iPads on old iOS, like iOS6 or 7?
Paul Ducklin
As far as I’m aware, old Apple operating system versions are like Windows XP: they don’t get updates any more because the official way to update them is to switch to a newer and officially supported version. Unfortunately, Apple doesn’t say (or at least if it does, I’ve not seen it) which versions are on the “official” list.
So it’s hard to say whether Mavericks is supported-but-unaffected or if it is not supported and might simply not have received an update even though the bugs go back that far. My suspicion is that it’s 10.11 and 10.10 only that are officially supported. If you can upgrade I strongly recommend it, assuming your hardware supports the new version.
Reader
I realize this article is about a software update (a.k.a., a security patch), but I have a question about an OS update.
I use Yosemite, which preceded El Capitan in the OSX family.
From a security standpoint, do you think I should update to El Capitan now? Or do you think that Yosemite and El Capitan, if they’re kept fully patched and current, are about equally secure as of today?
Paul Ducklin
I’d switch to El Capitan. (Actually, I did, the same day it came out :-) As far as I can see, it has some additional anti-hacking measures that Yosemite lacks. I also found El Capitan a bit faster all round, but that is not an objective assessment. For all I know it may feel faster because I wanted it to :-)
Having said that, Yosemite is both recent and (given that it’s still getting updates) officially supported. So I wouldn’t worry too much.
You may have to upgrade soon anyway, when macOS 10.12 comes out, if we assume that only the current and previous version are officially supported.