Zimperium has disclosed the details of eight vulnerabilities, which, until recently, left Apple's iOS mobile system open to exploit.
On Thursday, N-day acquisition program Zimperium said the vulnerabilities permitted attackers in some cases to take complete control of a device running Apple's mobile operating system, as well as access information including GPS data, photos, and contact information, or conduct denial-of-service (DoS) attacks.
Zimperium researcher Adam Donenfeld discovered the vulnerabilities, one of which can be found in the IOSurface kernel extension.
This vulnerability, CVE-2017-6979, is a race condition bug that allows attackers to bypass sanity checks for the creation of an IOSurface object. If exploited, the security flaw can result in a local elevation of privilege or denial of service.
Seven others were found in AppleAVEDriver.kext. CVE-2017-6989 and CVE-2017-6995 are bugs that can be used to drop the refcount of any IOSurface object in the kernel or send an arbitrary kernel pointer -- which will be used by the kernel as a pointer to a valid IOSurface object.
Either flaw can be used by attackers for privilege escalation.
The first bug could be exploited to free any memory block of size 0x28; the second could be exploited to free any pointer of size 0x28; and the third vulnerability, a type confusion problem, allowed hackers to hijack kernel code execution. The final issue could be exploited to make sure user-controlled pointers were zeroed.
All of these security flaws lead to privilege escalation, denial of service, or information disclosure.
Another bug, CVE-2017-6994, allowed attackers to leak the kernel address of any IOSurface object in the system, which by its very nature results in information disclosure.
Apple's iOS before 10.3.2, tvOS before 10.2.1, and watchOS before version 3.2.2 are all affected.
Apple issued a security patch with iOS 10.3.2 in May that patched these issues alongside a range of bugs found in SQLite, WebKit, iBooks, and CoreText, among others.
Donenfeld plans to release additional technical details and proof-of-concept (PoC) code soon, but an embargo stipulated by Apple has delayed the release.