Update: Code execution on wi-fi chip foiled. Apple has released an urgent update to its iOS mobile operating system, just days after it distributed a new iOS 10.3 version to iPhone and iPad users around the world.
The update, iOS 10.3.1, takes care of a single vulnerability that could allow attackers to run arbitrary code on the wi-fi chip built into iPhone 5, iPad 4th generation and iPod Touch 6th generation and later devices, Apple said.
Attackers who are in range of vulnerable devices could run code on the devices by exploiting a stack buffer overflow in iOS.
Apple has now addressed the vulnerability, which was found by researcher Gal Beniamini from Google's Project Zero team, by improving data input validation.
The company released iOS 10.3 on March 28 this year. The update contained patches for 70 vulnerabilities, 18 of which could be exploited for remote code execution.
Apple last week released a public beta of iOS 10.3.2 for users to test.
Update 5/4/17: Google's Gal Beniamini has published details of the wi-fi vulnerability.
The flaw lies in the firmware for the Broadcom wireless system on a chip, which Apple uses in its devices.
Beniamini discovered the firmware lacks security features such as stack cookies, safe unlinking, and access permission protection through the hardware memory protection unit built into the chip.
By analysing the firmware and how it interacts with the hardware, Beniamini was able to write an exploit that, via the wireless interface, could overflow the stack buffer in the firmware, and overwrite the memory in the device to achieve arbitrary code execution.
Broadcom’s wireless SoCs are also used by Android devices makers. Beniamini’s proof of concept code for the exploit was similarly executed on a Google Nexus 6P.
The Google Project Zero researcher noted that Broadcom had been “incredibly responsive and helpful, both in fixing the vulnerabilities, and making the fixes available to affected vendors".
Beniamini said he would continue to explore how to further escalate attacker privileges in a second piece of research. He intends to show how to gain control over the wi-fi SoC to take over the host device operating system wirelessly.