iOS 12.2 Exploits Patched In iOS 12.3 To Be Released To Public Soon
Hacker and researcher Dany Lisiansky has taken to Twitter to confirm that a number of his discovered vulnerabilities have been patched by Apple with the release of iOS 12.3.
He has also provided additional information about the extent of those vulnerabilities, which leaves questions around the value of the bugs related to iOS 12.2 and below as far as a jailbreak is concerned.
According to the initial tweet, Lisiansky has been credited by Apple as the reporter of three individual vulnerabilities which have been patched with the release of iOS 12.3:
Apple just released iOS 12.3, which includes patches for 3 vulnerabilities I discovered: CVE-2019-8593, CVE-2019-8568, CVE-2019-8637. I’ll publish the exploits as soon as possible.
In response to a number of tweets, the researcher has confirmed that none of the reported vulnerabilities related to iOS 12.2 and below are “kernel related”, which means that tfp0 cannot be achieved. However, he has also stipulated that the exploits which he will share pertaining to the vulnerabilities are capable of opening up a “wider attack surface”, meaning that they can be used to further exploit the device in question and potentially find additional bugs or vulnerabilities.
His belief is that these are predominantly used for research purposes unless someone can take it to the next level with additional vulnerabilities and turn this into something jailbreak-related”
Just to clarify – The exploits will open a wider attack surface which can be used to further exploit the device (with additional vulnerabilities).
They most likely be used for research purposes, unless someone is willing to disclose more vulnerabilities.
One particular area of interest relates to bug CVE-2019-8637 which Lisiansky suggests is capable of allowing arbitrary code to be executed at a root level on the basis that a sandbox bypass is also in place. It definitely doesn’t sound as though we are in a place where a jailbreak for iOS 12.2 is easily obtainable but it can provide a glimmer of hope for anyone who is willing to take up the challenge of seeing whether there is tangible value in exploring this further.
Lisiansky has stipulated that he is currently revere engineering iOS 12.3 to see how Apple approached patching the bugs and will publish the exploits relating to the published vulnerabilities in due course.