Apple has fixed a security flaw — for a second time — after it accidentally reintroduced the same bug in a recent software update.
iOS 12.4.1, released Monday, contains a security fix that was first introduced months earlier in iOS 12.3. Apple patched the flaw in May, but accidentally undid the security patch in its latest update, iOS 12.4, in July.
In a brief security advisory published after the software’s release, Apple said it fixed a kernel vulnerability that could have allowed an attacker to execute code on an iPhone or iPad with the highest level of privileges.
Those privileges, also known as system or root privileges, can open up a device to running apps that are not normally allowed by Apple’s strict rules. Known as jailbreaking, apps can access parts of a device that are normally off-limits. On one hand that allows users to extensively customize their devices, but it can also expose the device to malicious software, like malware or spyware apps .
Spyware apps often rely on undisclosed jailbreaks exploits to get access to a user’s messages, track their location, and listen to their calls without their knowledge. Nation states are known to hire mobile spyware makers to remotely install malware on the devices of activists, dissidents, and journalists. Washington Post journalist Jamal Khashoggi, who was murdered by agents of the Saudi regime, is believed to have been targeted by mobile spyware, according to reports. The company accused of supplying the spyware, Israel-based NSO Group, has denied any involvement.
Apple confirmed the fix in its iOS 12.4.1 security notes, which included a short acknowledgement to Pwn20wnd, the team which confirmed last week that its jailbreak was working again.