A security researcher published a PoC exploit code for critical vulnerabilities in Apple Safari web browser and iOS which can be used by remote attackers to compromise iPhone x running iOS 12.1.2 and early versions.
The PoC exploits code was developed by security researcher Qixun Zhao of Qihoo 360’s Vulcan Team.
To compromise victim device all attacker need to do is trick the victim to visit a specially crafted web page using Safari browser.
The jailbreak exploit is a combination of two critical vulnerabilities, a type confusion memory corruption flaw in Apple’s Safari WebKit (CVE-2019-6227) and a use-after-free memory corruption bug (CVE-2019-6225) in iOS Kernel.
The safari flow allow maliciously crafted web content to execute arbotary code on victims device and iOS kernal flaw allows to elevate privilages and installs a maliocious applications.
The researcher did not publish the exploit code for the iOS jailbreak to prevent attacks against Apple users. The reseacher also shared a proof-of-concept video demonstration for the exploit.
“I will not release the exploit code, if you want to jailbreak, you will need to complete the exploit code yourself or wait for the jailbreak community’s release. At the same time, I will not mention the exploit details of the post exploit, as this is handled by the jailbreak community,” said in the blog post published by the reseacher.
Apple has addressed both the vulnerabilites in the iOS version 12.1.1. All iPhone users are advised to update devices immediately.
You may be interested in reading:Blur Data Breach Potentially Exposed Data of 2.4 Million Users