Owners of Apple devices that run on iOS have been cautioned to take cybersecurity particularly seriously over the next couple of days. This follows Apple accidentally reopening an old security bug in the latest version of the operating system.
In last month’s release of iOS 12.4, Apple patched a couple of security loopholes, and also enabled support for Apple Card for US users. In the process, however, it also mistakenly reversed an important security fix that came with iOS 12.3.
That update fixed a security flaw that was revealed by Google’s Project Zero, which, at least in theory, enables “a malicious application … to execute arbitrary code with system privileges.” To put it differently: by exploiting the bug, an application could get full control over your iPhone.
Such “jailbreaks” are so valuable to those who want to exploit them that they are usually kept a tight secret. The previous time a new iOS version contained a jailbreak-type bug was nearly four years ago, and then only for a week.
KnowBe4 security awareness advocate Javvad Malik said that everyone makes mistakes, even Apple. He warned that until a fix was released, there was the danger of someone taking advantage of the bug. He added that “users can be vigilant to protect themselves by validating the apps they are downloading are legitimate and safe.”
Malik warned that hackers were likely to try to trick iOS users into downloading malicious software so that they could exploit the bug. He also cautioned iPhone owners not to jailbreak their own devices, because this can expose them to numerous threats.
iPhone security expert Stefan Esser warned that even apps downloaded from the app store could contain a copy of the jailbreak.
Apple will most likely release a patch for the current vulnerability with iOS 12.4.1, which should be ready in a couple of days.