New ways to attack iPhones exposed - make sure you update to iOS 8.4

iOS Masque attackThis week Apple has released the latest version of iOS for iPhone and iPad users - iOS 8.4 - introducing Apple Music.

But even if you're not interested in Apple's attempt to dislodge the likes of Spotify, security firm FireEye has given you another good reason to update your devices to iOS 8.4 - especially if you work for a company that uses its own in-house iOS apps.

In a blog post, security researchers provide details of new so-called Masque attacks, exploiting iOS's failure to properly distinguish between apps with the same bundle identifier.

Full details can be found in the FireEye blog post, including the reveal of a previously undisclosed code injection attack that could allow communications - including those over VPN - to be intercepted and hijacked.

Clearly any vulnerability which would lead to unauthorised monitoring of VPN traffic is very bad news indeed.

It's important to emphasise that targeted iPhones and iPads do not have to be jailbroken to be at risk of having malware installed onto them.

Through social engineering, an attacker could trick users into installing a malicious app onto their iOS devices using the enterprise provisioning feature that Apple provides for companies who wish to roll out their own apps to staff.

The researchers believe that "around one third of iOS devices still have not updated to versions 8.1.3 or above, even 5 months after the release of 8.1.3, and these devices are still vulnerable to all the Masque Attacks."

iOS share

FireEye describes Apple's update for some of the vulnerabilities it reported as only "partial", but it still feels sensible for users to update to iOS 8.4 at the earliest opportunity if possible.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

, , , , ,

3 Responses

  1. David L

    July 1, 2015 at 3:35 pm #

    Hi Graham,

    These issues are not new,but a recap from previous blogs. See referenced articles at the end. I have followed this from the beginning and after the partial fix in ios 8.1.3 then wrote about the "new" attack vectors. What Fireeye needs to do is verify the fixes And then write it up. Yes,many have become gun shy after Apple botched some updates,and so wait to see if there are any bugs before updating,and then forget,or don't care to update for what ever reasons. The title of fireeye's blog is a little like click bait, it should have said to be sure to update to ios 8.4 to fix these issues.

    That said,I am not an Apple fan. That they have so many vulnerabilities,and took almost a year to fix them,is the real story. Their last update fixed 80 vulns,50 of which were Safari related. And now,77 fixes,all which need an os update, means that Apple is less secure then Android. Apple is the new MS and should have a patch Tuesday before they become the new Adobe (-:

    • Bob in reply to David L.

      July 1, 2015 at 5:09 pm #

      Microsoft are much better than they used to be in terms of general security and patches. In fact Windows Phones are now THE most secure handset according to research from the University of Cambridge.

      Apple should really take a leaf from Microsoft's book – in Windows 10 all consumer streams of the OS will be updated automatically.

      Apple are terrible at repairing vulnerabilities and then they cover them up.

  2. David L

    July 3, 2015 at 11:03 am #

    A major controversy last year was the backdoored ios that Apple denied,but fixed none the less. There is still a vulnerability about pairings with other computers for anyone interested, Jonathan Zdziarsky was the forensic expert who wrote these issues up. His website has a wealth of information on Apple issues.

Leave a Reply