
Apple Accidentally Unpatches Vulnerability, Leading to New iOS 12.4 Jailbreak - dvcrn
https://www.macrumors.com/2019/08/19/ios-12-4-vulnerability-leads-to-jailbreak/
======
dessant
It's unfortunate how Apple and Google approach device ownership, and their
attitude towards the concept of general computing is concerning.

We do not control our own devices, we cannot stop certain processes on them,
and we do not know where our personal data is sent.

We either have to flash ROMs from questionable sources and apply temporary
exploits to get some kind of resemblance of control of our own devices, or we
have to spend years to learn the skills to unlock these systems ourselves.

~~~
andreasley
I think Apple's approach is the only reasonable one for the general
population. The technological complexity of any smartphone is far beyond
comprehension for most people. I write iOS software for a living, and even
with complete access to the source code, I couldn't reasonably evaluate my
iPhone's software - let alone the hardware.

The idea that ROMs from questionable sources make your device safer sounds
very strange to me.

Basically every electronic device has countless security issues. Some of them
are found of which some are published of which most are eventually fixed (by
rather large teams of professionals). In that regard, Apple could and should
do better.

But the burden of making such a complex device secure simply can't be put on
the end user.

While I would welcome deeper access for technically inclined people, I'm not
sure that option can really be given by Apple/Google without the risk of
becoming a disadvantage for many users.

~~~
dessant
I think locking down a system by default, but offering a way to gain elevated
priviledges, while educating and properly warning users before certain actions
is better than taking away everyone's control over their own devices, and
therefore restricting their freedom.

~~~
athenot
The problem with that approach is $popular_social_media app comes along and
coaxes users to relax said privileges "because reasons" and before long
there's a signigficant proportion of users who altered the security model of
their device without understanding what is going on.

~~~
worble
If people do that, that's on them. So long as the device appropriately warns
people, I fail to see how it's the companies problem to baby people who don't
know what they're doing. It's their device, if they want to break out, let
them.

It's like saying "Why should we have knives? It's only a matter of time until
$popular_social_media comes along and tells people to cut off their index
fingers and before long there's a significant proportion of users who can't
point anymore".

~~~
wsy
A lot of tools have safety measures which can't be circumvented by their users
(e.g., you have to use both hands to start thems). The reason being that some
dangers are easily underestimated, even by experienced users. Manufacturers do
indeed much better about the inherent risks of their products than users.

If a knive could be built which allows to cut food, and protects you from
cutting off your index finger, wouldn't that be great?

~~~
terragon
Are you really comparing an object which holds a threat of blood loss, loss of
organs and possible death as requiring similar safeguards as a phone?

------
pier25
I've never understood why iOS isn't more like macOS. There aren't really any
technical reasons why this couldn't be.

It's common for the security argument to be used to justify Apple's practices,
but Mac users have been perfectly fine installing third party apps such as
Transmit, Adobe Photoshop, or even Google Chrome from outside of Apple's
walled garden. I've been using macOS since 2007 and I've never had a virus or
any security problem, nor anyone else I know using a Mac. From my dev
colleagues to my 70 year old mother in law or my 15 year old nephew.

It seems to me the only real arguments for Apple's walled garden are
economical.

~~~
TacticalTable
Market share is an appreciable concern here. Macs haven't been more than 20%
of the market for a _long_ time. iPhones are a much larger market share,
especially among affluent users. I don't think we'd see any widespread
viruses, but there would certainly be a ton of people losing their financial
info from their own irresponsibility.

~~~
pier25
So your argument is that because there are more users it needs to be more
secure?

~~~
TacticalTable
My argument is primarily that if somebody is looking to infect users, are they
going to target the 86%, or the 13%? Macs have benefited for years by largely
not being targeted by the majority of malware developers. If mobile devices
open the walled garden, you get something similar to android's malware issues
_at best_.

~~~
pier25
iOS does not have a 86% market share. Not even close. Globally it's closer to
15%. In the US it's closer to 55%.

If you argue that the 86% is the case on certain demographics, then the same
can be argued about macOS.

~~~
TacticalTable
The demographic argument is what I'm going with. MacOS is 18%, compared to
Windows at 74% [1]. When comparing the mobile statistics, they're bouncing
around 50%. The iOS pool would be a _much_ larger pool to attack than MacOS,
and for little financial benefit for Apple.

My prediction: If Apple opened the garden, even for a 'developer only' mode, I
would imagine unregulated app stores would go up overnight, with wikihow
articles on how to enable and install them, followed by a large amount of the
technically illiterate (speaking from experience) trying to get free games, or
'add new emojis'. Users can't be trusted, and if consumer desktop operating
systems were designed today, they wouldn't have the freedom they currently
have.

[1]: [https://gs.statcounter.com/os-market-share/desktop/united-
st...](https://gs.statcounter.com/os-market-share/desktop/united-states-of-
america) (Not entirely sure on the accuracy/gathering of this data, but it had
the easy filtering and seems to line up with both of our data points)

~~~
pier25
> _followed by a large amount of the technically illiterate (speaking from
> experience) trying to get free games, or 'add new emojis'_

I agree some people would do it... but I doubt it would be such a large
number. Do you have any data about this?

Users can already do that in Windows, macOS, and Android. From my anecdotal
experience very few do it.

~~~
TacticalTable
> I agree some people would do it... but I doubt it would be such a large
> number. Do you have any data about this?

No, nothing more than anecdotal. But I'd argue 'some people' when you're
operating on the scale of the hundreds of millions-billions that Apple
operates at, would still be hundreds of thousands of support requests from
users who have inadvertently made their phone unusable (using some jailbreak
tweaks as a reference) to extremely annoying (referencing many android apps
that abuse push notifications for advertising).

> Users can already do that in Windows, macOS, and Android. From my anecdotal
> experience very few do it.

I used to work IT for a school system, and I had an entirely different
experience. Teachers would occasionally ask for help with their personal
laptops (without our AD) and they were near universally a minefield of
toolbars and adware. There's obviously some self-selection in there, but if
the 5% of teachers couldn't handle a computer responsibly, that would be a big
problem for Apple if they added more ways for users to screw themselves.

Of course, all this is anecdotal, so I'm not expecting this conversation to
really convert either of us.

~~~
pier25
I work in edtech and I can only agree that teachers are some of the more tech
illiterate users I've ever seen. :)

But yeah, without any solid data we will both stick to our anecdotal
experiences.

------
userbinator
The saddest thing about this is the article presents jailbreaking as an
entirely negative thing, while the comments offer a more balanced opinion.

~~~
auiya
For most end-users it is. It allows any compromise of the device to elevate to
root privileges.

------
nikisweeting
I'm just thankful for a working jailbreak on the latest version with no
"Please update your iOS beta version" popup. It's like a dream come true.

~~~
nathancahill
Absolutely incredible to have a jailbreak on the latest signed version of iOS.

------
stock_toaster
No regression tests? ಠ_ಠ

~~~
threeseed
It looks like a bad merge in which if there was a test it would've not been
merged either.

~~~
m0xte
(again). Goto fail comes to mind.

------
lol768
>A third security researcher, Stefan Esser said that people should be careful
what apps they download from the App Store right now. "Any such app could have
a copy of the jailbreak in it," he wrote on Twitter.

Seems a bit overblown when there's a review process in place. I'm sure it's
not infallible, but still..

~~~
yots
Yes, to some extent people should be worried about apps potentially containing
exploits, but then again they should be more worried about 0-days than a known
vulnerability.

~~~
oarsinsync
> A zero-day (also known as 0-day) vulnerability is a computer-software
> vulnerability that is unknown to, or unaddressed by, those who should be
> interested in mitigating the vulnerability (including the vendor of the
> target software)[0]

Why should a publicly known unpatched vulnerability be a lesser concern than
something that you don't know exists?

[0][https://en.wikipedia.org/wiki/Zero-
day_(computing)](https://en.wikipedia.org/wiki/Zero-day_\(computing\))

------
eljefe900
Please excuse the tinfoil hat - is there any chance that this vulnerability
was reintroduced at the request of the Chinese government to allow easier
access to Hong Kong protesters devices?

~~~
UweSchmidt
No need for a tinfoil hat or this specific vulnerability.

Any number of backdoors can be introduced with any update for any operating
system or app. Generally governments around the world want backdoors and
information from companies and companies generally comply.

~~~
pilif
Last time this happened to Apple they fought it tooth-and-nail and at least
from what the public knows they were victorious and did not have to add a
backdoor.

------
mehrdadn
I got a _lot_ of flak here recently for suggesting that maybe security
researchers shouldn't be publishing PoCs or deep vulnerability details
literally 1 week after the vendor issues a patch.

Here's to hoping that, now that this happened, someone will give this idea
another consideration...

(P.S. for those wondering: apparently this is CVE-2019-8605:
[https://bugs.chromium.org/p/project-
zero/issues/detail?id=18...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1806))

~~~
0x0
But it's been 3 months since the vendor first issued a patch!

~~~
mehrdadn
I mean, I'm not suggesting 1 week should've been 1 month or even 3 months.
Those are too short to me too.

But regardless, that's already 3 months people had to design, write, test, and
perfect an exploit for it...

~~~
consp
The exploit was patched in iOS 12.3, not known since 12.3. Apple probably knew
for longer, fixed it in 12.3 and reverted the patch (somehow) in 12.4.

If you want to make your point, this is one of the worst examples you can take
as it is an old exploit, which has been patched and now works again. The code
should be in the public after the patch anyway if a researcher found it.

~~~
mehrdadn
> The exploit was patched in iOS 12.3, not known since 12.3. Apple probably
> knew for longer, fixed it in 12.3 and reverted the patch (somehow) in 12.4.

Huh? Am I misreading the timeline? iOS 12.3 was released May 13, and I see the
view restriction removed (Label:-Restrict-View-Commit) on May 20... which is
almost _exactly_ 3 months ago: [https://bugs.chromium.org/p/project-
zero/issues/detail?id=18...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1806#c8) [https://support.apple.com/en-
us/HT210118](https://support.apple.com/en-us/HT210118)

