This article originally appeared in TidBITS on 2016-08-25 at 11:23 a.m.
The permanent URL for this article is:
Include images: Off

iOS 9.3.5 Blocks Remote Jailbreak

by Josh Centers

Less than a month after the release of iOS 9.3.4 (see “Apple Releases iOS 9.3.4 with a Single Security Fix [1],” 4 August 2016), Apple has released yet another security-focused iOS update: iOS 9.3.5.

[image link] [2]

The New York Times writes [3] that this rapid release comes in response to what appears to be a government attempt to compromise the iPhone of Ahmed Mansoor, a prominent human rights activist based in the United Arab Emirates. Two weeks ago, he reported several suspicious SMS text messages to researchers at the digital rights watchdog group Citizen Lab [4]. With assistance from the research team at Lookout, Citizen Lab was able to identify the texts as coming from an exploit infrastructure created by NSO Group, an Israel-based “cyber-war” company that makes phone surveillance software. The chain of exploits would have led to a remote jailbreak enabling the attacker — likely the UAE government — to install sophisticated spyware on Mansoor’s iPhone. Citizen Lab reported these vulnerabilities to Apple, which promptly fixed them in iOS 9.3.5; Citizen Lab’s report [5] makes for fascinating reading — it’s a real-world thriller.

The three specific vulnerabilities, as outlined by Apple’s security note [6], involve bugs that could allow applications to disclose kernel memory or allow application execution and a vulnerability that would allow malicious Web sites to execute code.

It’s extremely unlikely that most people would be targeted by NSO Group’s exploit chain, given that it undoubtedly sells for big bucks. However, now that the vulnerabilities on which it relies have been blocked by iOS 9.3.5, it’s easy to imagine the price dropping significantly, enabling garden-variety miscreants to buy and use it against those who don’t update.

Since the result could be your iPhone being used to track your movements, record audio and video from your surroundings, snoop on messages in chat apps, and more, we recommend that you install iOS 9.3.5 as soon as possible. Download sizes vary, but it was about 38 MB on an iPhone 5s, and you can update via Settings > General > Software Update or through iTunes.