Apple rushes out iOS patch for wi-fi vulnerability

By

Update: Code execution on wi-fi chip foiled.

Apple has released an urgent update to its iOS mobile operating system, just days after it distributed a new iOS 10.3 version to iPhone and iPad users around the world.

Apple rushes out iOS patch for wi-fi vulnerability

The update, iOS 10.3.1, takes care of a single vulnerability that could allow attackers to run arbitrary code on the wi-fi chip built into iPhone 5, iPad 4th generation and iPod Touch 6th generation and later devices, Apple said.

Attackers who are in range of vulnerable devices could run code on the devices by exploiting a stack buffer overflow in iOS. 

Apple has now addressed the vulnerability, which was found by researcher Gal Beniamini from Google's Project Zero team, by improving data input validation.

The company released iOS 10.3 on March 28 this year. The update contained patches for 70 vulnerabilities, 18 of which could be exploited for remote code execution. 

Apple last week released a public beta of iOS 10.3.2 for users to test.

Update 5/4/17: Google's Gal Beniamini has published details of the wi-fi vulnerability. 
 
The flaw lies in the firmware for the Broadcom wireless system on a chip, which Apple uses in its devices.
 
Beniamini discovered the firmware lacks security features such as stack cookies, safe unlinking, and access permission protection through the hardware memory protection unit built into the chip.
 
By analysing the firmware and how it interacts with the hardware, Beniamini was able to write an exploit that, via the wireless interface, could overflow the stack buffer in the firmware, and overwrite the memory in the device to achieve arbitrary code execution.
 
Broadcom’s wireless SoCs are also used by Android devices makers. Beniamini’s proof of concept code for the exploit was similarly executed on a Google Nexus 6P.
 
The Google Project Zero researcher noted that Broadcom had been “incredibly responsive and helpful, both in fixing the vulnerabilities, and making the fixes available to affected vendors".
 
Beniamini said he would continue to explore how to further escalate attacker privileges in a second piece of research. He intends to show how to gain control over the wi-fi SoC to take over the host device operating system wirelessly.

 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
applegoogleiosproject zerosecurity

Sponsored Whitepapers

Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond

Events

Most Read Articles

Qantas facing 'significant' data theft after cyber attack

Qantas facing 'significant' data theft after cyber attack
Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks
Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"
SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?