A patch has been released to address a critical jailbreak vulnerability in iOS 12.4. The flaw is a use-after-free vulnerability affecting the iOS kernel and is being tracked as CVE-2019-8605. If exploited, an attacker could execute arbitrary code with system-level privileges and jailbreak the phone.
Jailbreaking an iPhone allows software to be installed that would not otherwise be permitted and gives users more control over their device. However, jailbreaking phones also removes certain security protections, which leaves the devices vulnerable to attack.
The flaw could be exploited by incorporating the exploit into an application that could escape the iOS sandbox. Alternatively, the flaw could be combined with other vulnerabilities to allow a targeted device to be hacked remotely.
The flaw was reported to Apple by Google Project Zero researcher Ned Williamson and Apple patched the flaw in iOS 12.3; however, the vulnerability was accidentally reintroduced in iOS 12.4. The error was identified by security researcher, Pwn20wndm, who developed an exploit for the vulnerability and released it online. The exploit allows iPhone users to jailbreak their phones for free. Several iPhone owners claim to have used the exploit to jailbreak their phones.
Pwn20wndm suggested the vulnerability could be exploited and used to develop ‘perfect spyware’.
The flaw exists on all iOS devices running iOS 12.4 and iOS versions 12.2 and earlier. iOS 12.3 is unaffected and the latest version, iOS 12.4.1, has had the flaw corrected.
The update is currently available for Phone 5s and later, iPad Air and later, and iPod touch 6th generation. All Apple customers have been advised to check what software version they have installed and to apply the update as soon as possible.