A British government-funded research project has found a new vulnerability in the iPhone security software, allowing hackers to take advantage of a ‘zero-day’ exploit that could be used to exploit vulnerabilities in Apple products, including iPhones and iPads.
The new vulnerability was disclosed on Friday in the UK’s National Cyber Security Centre (NCSC), an organisation run by the Department for Digital, Culture, Media and Sport (DDCMS) that was created in 2011 to address digital security concerns in the country.
A UK government-run initiative to tackle cyber-attacks The National Cyber Crime Unit (NCU) and the Office of the National Cybersecurity Executive (NCCE) have jointly developed a new exploit for the Apple iOS software that allows attackers to use a ‘black box’ exploit to bypass a sandboxing process.
In addition to bypassing sandboxing, the exploit also allows the attacker to execute code on the target device, bypass encryption on the device, and access the device’s internal memory.
According to NCCE, the new vulnerability is described as a ‘soft-exclusion’ vulnerability that was discovered by the NCU and is one of the most common zero-day vulnerabilities.
It is a known vulnerability that has been exploited by hackers in the past, but the vulnerability is now considered a ‘hard-exemption’ vulnerability and does not trigger sandboxing.
NCSC director Mark Treadwell said: “We believe this vulnerability has been used to gain a foothold in the iOS sandbox.”
The vulnerability has the potential to allow a malicious actor to bypass security settings on iPhones that would prevent them from running the latest iOS security updates, allowing them to bypass the sandbox and gain control of the device.
NCCC said that in addition to the vulnerabilities reported on Friday, it had also discovered a second vulnerability in Apple iOS that was identified by the security company Symantec as a separate vulnerability. “
This allows the exploit to be deployed on iOS devices running a sandboxed version of iOS and then the exploit can be deployed in an attempt to compromise the target iOS device.”
NCCC said that in addition to the vulnerabilities reported on Friday, it had also discovered a second vulnerability in Apple iOS that was identified by the security company Symantec as a separate vulnerability.
Symantec said that it had discovered a third vulnerability in iOS that it said was also exploitable by the exploit described in the National Report.
Both of these vulnerabilities are described in this report.
Apple said it would publish a patch for both vulnerabilities in the next few days, but said it was working to provide an update to all affected devices.
This report contains information from a UK-based source and should not be considered to be an endorsement by Apple.
Read more about security in general.
See more about this report on the BBC’s website.
Image credit: National Cyber Defence Centre (NCCC)