It took Apple a week to finally release an emergency fix to a vulnerability that allows malicious hackers to take control of all Apple desktop and laptop computers, mobile devices (iPhone, iPad, and iPod touch) and also TV set-top boxes that are running the latest version of the company’s software.
We first reported last week about the critical security flaw that Apple reintroduced in the latest version of its mobile operating system, which makes all iPhones, iPads, and iPod touches that updated to iOS 12.4 vulnerable to malicious hackers including iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
The vulnerability dubbed SockPuppet was first discovered and exploited last March by Ned Williamson, a security researcher at Google Project Zero and was subsequently patched by Apple when it released iOS 12.3 on May 13.
The security bugs in macOS and tvOS—where a malicious application may be able to execute arbitrary code with system privileges—were not previously disclosed prior to today’s release.
“For our customers’ protection, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available,” said Apple in its security updates.
Although Apple confirmed that the kernel bug was initially discovered by Williamson, the technology giant did acknowledge Pwn20wnd “for their assistance” in finding the vulnerability last week.
On Monday, Pwn20wnd also confirmed in a tweet that the security vulnerability was indeed patched.
The iOS 12.4.1 security content mentions patching the bug used by the SockPuppet exploit.
Apple also credited me for assistance with the kernel — I credited them for the jailbreak so it seems like they wanted to do the same thing ;P. pic.twitter.com/IvyOgv0G3v
— Pwn20wnd is reviving 0-Days (@Pwn20wnd) August 26, 2019
Atherton Research Insights
It goes without saying that every organization and consumer with an Apple computer, mobile device or Apple TV should immediately install today’s security patches.
As I mentioned last week, the reintroduction of such a critical security vulnerability shows that there was something wrong in the software quality validation process at Apple: The bug was known, successfully corrected and deployed in iOS 12.3, but then reintroduced on version 12.4.
Worse, it seems that the bugs also reappeared in the source code of the latest versions of macOS and tvOS.
This is just mind-blowing that one of the world’s most valuable companies, and surely one of the most technologically advanced, doesn’t have a functioning software versioning procedure at this point.
Finally, we recommend to be extremely careful when downloading applications from the Apple AppStore: Make sure that these apps come from a well-known software publisher which will reduce the risk of having a secret backdoor or malicious code hidden inside the app.