Apple has issued an update to address a potentially serious security flaw it re-opened in the latest version of iOS.
Monday's iOS 12.4.1 update contains a single fix: a patch to address CVE-2019-8605. The use-after-free vulnerability would let an application gain the ability to execute arbitrary code with system privileges. Credit for discovering the flaw was given to Ned Williamson from Google's Project Zero team, who reported the flaw to Cupertino back in March.
This is not the first time Apple has had to patch CVE-2019-8605. The vulnerability was first addressed with the iOS 12.3 update in May of this year. Users running iOS 12.2 had been using the vulnerability as the catalyst for jailbreak procedures that allow users to install and run non-approved software on their iPhones and iPads.
The flaw was thought to have been closed for good, up until last week when word broke that the unc0ver jailbreak tool was able to unlock 12.4 handsets by once again exploiting the flaw.
It seems Apple had unintentionally rolled back the 12.3 patch that addressed CVE-2019-8605 and the jailbreak exploit for the bug that had last worked in iOS 12.2 was once again succeeding on new handsets.
Breaker, breaker. Apple's iOS 12.4 update breaks jailbreak break, un-breaks the break. 10-4READ MORE
Jailbreaks aside, the re-exposure of the bug was embarrassing for Apple and potentially dangerous for end-users. The vulnerability could also have been targeted by criminals to install malware on iOS devices by disguising their apps as legitimate, or by injecting attack code into legitimate apps.
In releasing the fix, Apple made a point of thanking pwn20wnd, the developer of the unc0ver tool.
Those who don't want to jailbreak their iPhones or iPads would be wise to make sure they are running iOS 12.4.1 or later.
Apple also put out updates to address the same vulnerability in macOS and tvOS. These operating systems are considered significantly less of a risk to the bug as Apple TV is largely a walled garden and macOS would require code already be running locally to exploit, at which point it's game over anyway. ®