Tech

Apple zero-day vulnerability fully compromises your devices

The severe and previously unknown flaw circumvents Apple's stringent security features to compromise devices.

Written by Charlie Osborne, Contributing Writer March 24, 2016 at 1:35 a.m. PT

A zero-day vulnerability discovered within Apple's OS X operating system allows hackers to exploit key protection features and steal sensitive data from devices.

Speaking at at the security conference SysCan360 2016 in Singapore, SentinelOne researcher Pedro Vilaça said on Thursday that the vulnerability is present in both OS X and iOS, and impacts every version to date.

The critical issue allows for local privilege escalation and bypasses System Integrity Protection (SIP), which is Apple's newest protection feature. System Integrity Protection was introduced in the OS version El Capitan, and restricts the root account of OS X devices -- limiting the actions that the root user can perform on protected parts the system in order to reduce the chance of malicious code performing privilege escalation and hijacking a device.

Vilaça, who discovered the vulnerability, says exploiting the bug grants attacks the ability to circumvent this feature without the need for a kernel exploit. The flaw is a non-memory corruption bug which "allows users to execute arbitrary code on any binary," according to the researcher.

The researcher told ZDNet how the bug can be used to compromise a system, commenting:

"The exploit can be used to control any entitlement given to Apple to a certain binary. Because Apple needs to update the system there are binaries authorized to make modifications so those binaries can be exploited to bypass SIP.
The same exploit can also be used to load unsigned kernel code, and then fully disable SIP inside the kernel."

In order to exploit the vulnerability, a cyberattacker must first compromise the target system through whichever means necessary -- such as a spear phishing attack or browser exploit, for example.

The researcher said the bug is "100 percent reliable," and could be part of a "bug chain" which exploits browsers including Safari or Chrome.

"It is a logic-based vulnerability, extremely reliable and stable, and does not crash machines or processes," Vilaça says. "This kind of exploit could typically be used in highly targeted or state-sponsored attacks."

The zero-day vulnerability could be leveraged to run arbitrary code on the system, perform remote code execution or sandbox escapes. Then, attackers could escalate the malware's privileges to bypass SIP and stay on the system.

Security

The issue was discovered in early 2015 and was reported to Apple in January this year.

The flaw has been patched, but only in updates for El Capitan 10.11.4, and iOS 9.3, which was released March 21.

Google's Project Zero has also released technical details on the vulnerability. Vilaça said he was not aware of any examples of the exploit being used in the wild, but admitted it was possible as the bug is present on all OS X versions -- and "there is always a possibility that someone else found it before I did."

The takeaway? If your iOS or OS X device is running on an older version of the operating system, you should update as soon as you can to mitigate the risk of this zero-day vulnerability.