Skip to main content

Apple security fix didn’t address root cause – now corrected in iOS 16.5

An Apple security fix in iOS 15.6.1 back in August of last year was said to close two major security vulnerabilities, one of which could have allowed a rogue app to execute arbitrary code with kernel privileges (aka do Very Bad Things). But it’s now been revealed that the more serious vulnerability wasn’t closed after all.

Apple did succeed in blocking a specific way of exploiting the vulnerability, but didn’t address the root issue until last week’s iOS 16.5 update, some nine months later …

Last year’s Apple security fix

When Apple released iOS 15.6.1 in August 2022, the company said that the update “provides important security updates and is recommended for all users.”

Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited.

This was indeed actively exploited by an attack dubbed ColdIntro. Apple patched iOS against ColdIntro.

But the vulnerability remained

Unfortunately, while Apple blocked the specific attack route used by ColdIntro, security researchers at both Jamf and Google’s Project Zero saw similar attacks succeeding even after the update. These fresh attacks used a variation on ColdIntro, named ColdInvite.

In one example, an attacker managed to fool mobile carrier Vodafone into disabling the plan of a target. The attacker then sent a fake message to the victim asking them to install the My Vodafone app (a genuine app) in order to restore the plan. The link was to a fake version of the app, which contained the malware.

The attack begins by gaining access to the Display Co-Processor (DCP), and then uses this to gain access to the Application Processor (AP).

Analysis revealed that Apple had not blocked the underlying vulnerability which made such attacks possible. Jamf reported this to Apple, and the company applied fixed the vulnerability itself in iOS 16.5.

How serious is this?

While the phrase “an application may be able to execute arbitrary code with kernel privileges” can be code for “a rogue app can do anything it likes to the phone,” that isn’t the case here. Jamf says that ColdInvite just gets an attacker closer to being able to take over the iPhone.

[Both exploits allow] an attacker to exploit other vulnerabilities within the AP Kernel. Though it’s not sufficient for a full device takeover on its own, this vulnerability can be exploited to leverage the co-processor in order to obtain read/write privileges to the kernel, allowing a bad actor to get closer to realizing their ultimate goal of fully compromising the device.

From the real-world example cited by Google, it also appears that the bad guys would need to fool you into installing their app, meaning that this is most likely to be used as part of a targeted attack on specific individuals. The risk to the average user thus seems low.

All the same, Jamf notes that the approach of compromising one processor in order to gain access to another is only going to increase, so it’s always worth installing iOS updates as soon as possible.

However, if you rely on Apple’s Lightning to USB 3 adapter (which is broken by iOS 16.5), you can safely wait for a fix so long as you don’t tap on links, or open attachments, which you aren’t expecting.

Photo: TechieTech Tech/Unsplash

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications