Apple last week patched a critical iOS memory corruption vulnerability that could allow attackers to execute code on compromised devices.
The flaw was found by Team Pangu, a Chinese hacker group that specializes in building iOS jailbreak tools. The vulnerability is fixed in iOS 9.3.4.
“An application may be able to execute arbitrary code with kernel privileges,” Apple said of the flaw in its advisory; CVE-2016-4654 was assigned to the vulnerability.
The iOS update came hours after a talk at Black Hat USA by Ivan Krstic, head of security engineering and architecture at Apple.
Krstic represented Apple in a rare public session where he described in great detail a number of security features in the upcoming iOS 10, including hardened WebKit Jit mapping which will be new to the mobile OS.
Krstic explained that iOS 10 creates two Jit memory regions, one mapping that is readable and another that is executable; in iOS 9, there is one such region. Krstic explained that the redesign makes it difficult for an attacker to execute arbitrary code.
“They must now subvert control flow via ROP,” Krstic said. “This raises the cost of memory corruption for an attacker significantly.”
Krstic also explained the inner workings of the Data Protection API and the Secure Enclave Processor, two features that narrow the iOS attack surface.
Apple’s biggest move last week at Black Hat was the announcement that it will next month launch its first bug bounty.
The Apple Security Bug Bounty promises a maximum $200,000 payout for vulnerabilities and proof-of-concept code in secure boot firmware components. It will also pay $100,000 for the extraction of confidential material protected by its Secure Enclave Processor, $50,000 for code execution flaws with kernel privileges or unauthorized access to iCloud account data on Apple servers, and $25,000 access from a sandboxed process to user data outside that sandbox.
“We’ve had great help from researchers like you in improving iOS security all along. As the mechanisms we build get stronger, the feedback I’ve gotten from my team is that it’s getting increasingly difficult to find those vulnerabilities,” Krstic said. “The Apple bounty program will reward researchers who share critical vulnerabilities with Apple and we will make it a top priority to resolve those and provide public recognition.”
Apple is not expected to reveal the two-dozen researchers it has invited to the program.
Initial reaction to the payouts was mixed, especially given that governments and underground markets are believed to pay seven figures for iOS zero-day vulnerabilities, and last September, vulnerability buyers at Zerodium hosted a million-dollar iOS 9 bug bounty.
@Mike_Mimoso @cBekrar @Apple wtf ? They are RICH and they prefere to Risk theyr security than buy it ?
— Lalumièredisparaît (@tunisiator) August 5, 2016
@Mike_Mimoso @Apple That's it? They're joking, right?
— Jeff Zacuto (@Jeff_Zacuto) August 5, 2016
“The difficulty in finding most of the critical vulnerabilities is going up and up as we invest in new security technology and mechanisms,” Krstic said. “The difficulty is such that we want to reward people for their time and creativity they put in to finding bugs in these categories.”
