Apple Emergency Update Fixes Major Flaw With iOS 9.3.4

Apple said it has fixed a flaw in iOS that could allow attackers to take over iPad and iPhone devices.

The bug was serious enough to prompt Apple to issue a software update, iOS 9.3.3, that fixes this bug alone.

Emergency patch

The update appears two weeks after Apple’s last iOS patch, which fixed another critical flaw that affected the ImageIO subsystem.

The latest patch fixes a bug in the IOMobileFrameBuffer component that could allow an application to execute malicious code with kernel privileges, Apple said.

“A memory corruption issue was addressed through improved memory handling,” Apple said in its advisory.

The bug was discovered by Team Pangu, which develops jailbreaking software to allow iOS devices to run outside of Apple’s built-in restrictions, Apple said.

IT security researchers said such flaws can be used by jailbreakers to make devices perform specialised functions, but can also allow serious attacks.

Device takeover

“A kernel-level RCE bug is a double gift to crooks, because software that runs inside the kernel isn’t subject to the same sandboxing limitations as a regular app,” said Sophos researcher Paul Ducklin in an advisory. “An RCE that applies to a single app is like hacking into one set of traffic lights in a busy metropolitan area; a kernel RCE is more like hacking into the central server that controls all the traffic lights at every intersection in the city.”

Apple’s next major iOS version is expected to be released in September.

Researchers said frequent updates are necessary to protect mobile devices from ever more sophisticated criminal hacks, and noted that Apple’s devices are relatively easy to keep up to date.

“If you ever think security is a pain on your mobile device, just have a word with your Android-owning friends, many of whom will find it hard to remember when (if ever) they received their last operating system update,” said researcher Graham Cluley in an advisory.

Are you a security pro? Try our quiz!