Apple patches drive-by Wi-Fi flaw with emergency iOS patch
Less than a week after Apple pushed out iOS 10.3 comes an iOS emergency patch that all iDevice owners should implement as soon a possible.
The security note accompanying iOS 10.3.1 says simply that the fixed problem is a stack buffer overflow vulnerability that was addressed through improved input validation, and that it allows an attacker within range to execute arbitrary code on the Wi-Fi chip.
No more details about it were shared, but Gal Beniamini of Google Project Zero – the discoverer of the flaw – noted that more information about it will be provided tomorrow, and that it is not the same bug as the one he found last year in Broadcom’s Wi-Fi HardMAC SoC (system-on-a-chip) product.
iOS 10.3.1 is available for practically all iDevices out there: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later. So, if you own one or more of them, it’s a good idea to start patching.
UPDATE (April 5th, 2017):
As promised, Gal Beniamini shared more details about the vulnerability patched on Monday by Apple.
His post is extremely technical, and focuses more on how the flaw affects Android mobile devices, but the short of the matter is this: the flaw was found in the firmware running on Broadcom’s Wi-Fi system-on-chip (SoC) – which is used on all newer iThings – and can be triggered with specially crafted wireless frames, which an attacker can send directly to the victim if he or she is within Wi-Fi range.
Exploitation does not require user interaction, and can result in arbitrary code being run on the target device.
“We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection (by means of an MPU),” Beniamini noted.
“Broadcom have informed me that newer versions of the SoC utilise the MPU, along with several additional hardware security mechanisms. This is an interesting development and a step in the right direction. They are also considering implementing exploit mitigations in future firmware versions.”