Hacker News new | ask | show | jobs
by walterbell 3372 days ago
I can't recall so many (80?) security fixes in a recent iOS update. A malicious font, audio file, image file or website can cause arbitrary execution?! When a file parser or Safari is vulnerable, why doesn't the iOS sandbox block device/root modifications?

What happens if your device is already infected? Does the update process replace all OS files or could an infected device still contain malware after upgrade to 10.3?

Are there tools or apps that can report system level logs, e.g. could iOS 10.3 detect and report if known-malicious files are present on a device?
3 comments
Someone 3372 days ago
"may lead to arbitrary code execution" often means they didn't take the time to detect whether it does.

Reason is that it isn't worthwhile to spend time on that. Firstly, it is typically impossible to prove that a vulnerability cannot lead to arbitrary code execution (to do so, you would likely have to know _all_ vulnerabilities in your code), and secondly, defense in depth still requires plugging all holes, even if you can _now_ prove they just lead to an impregnable barrier.

And already infected devices very, very likely are safe after a reboot (the OS will only run signed code, and the malware isn't signed, or even considered code), but still may carry files that could infect systems running older iOS versions.

link
besselheim 3372 days ago
The sandbox does block such modification, but a useful exploit would combine the arbitrary code execution vulnerability with a sandbox escape, using e.g. some arbitrary read/write vulnerability in the kernel or similar.
link
walterbell 3372 days ago
In that case, would the list of iOS 10.3 security fixes mention at least one sandbox escape or kernel vulnerability? Since it does not, can we assume that most (all?) of the listed "arbitrary code executions" would be isolated by the iOS application sandbox?

Or should we assume that competent attackers are hoarding sandbox escapes and thus most app vulnerabilities can be escalated to device compromise?

link
tptacek 3372 days ago
No, you can't make any such assumptions from the text of the update. But you can probably assume there's localhost sandbox escape (or kernel RCE) available to serious attackers.
link
caf 3372 days ago
The list does include several kernel vulnerabilities anyway so the question is moot.
link
beamatronic 3372 days ago
Perhaps a scanner could be run on an iPhone backup directory (on disk on your Mac/PC).
link