New ways to attack iPhones exposed – make sure you update to iOS 8.4

iOS Masque attackThis week Apple has released the latest version of iOS for iPhone and iPad users – iOS 8.4 – introducing Apple Music.

But even if you’re not interested in Apple’s attempt to dislodge the likes of Spotify, security firm FireEye has given you another good reason to update your devices to iOS 8.4 – especially if you work for a company that uses its own in-house iOS apps.

In a blog post, security researchers provide details of new so-called Masque attacks, exploiting iOS’s failure to properly distinguish between apps with the same bundle identifier.

Full details can be found in the FireEye blog post, including the reveal of a previously undisclosed code injection attack that could allow communications – including those over VPN – to be intercepted and hijacked.

Sign up to our free newsletter.
Security news, advice, and tips.
Demo: Plugin Masque Attack

Clearly any vulnerability which would lead to unauthorised monitoring of VPN traffic is very bad news indeed.

It’s important to emphasise that targeted iPhones and iPads do not have to be jailbroken to be at risk of having malware installed onto them.

Through social engineering, an attacker could trick users into installing a malicious app onto their iOS devices using the enterprise provisioning feature that Apple provides for companies who wish to roll out their own apps to staff.

The researchers believe that “around one third of iOS devices still have not updated to versions 8.1.3 or above, even 5 months after the release of 8.1.3, and these devices are still vulnerable to all the Masque Attacks.”

iOS share

FireEye describes Apple’s update for some of the vulnerabilities it reported as only “partial”, but it still feels sensible for users to update to iOS 8.4 at the earliest opportunity if possible.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “New ways to attack iPhones exposed – make sure you update to iOS 8.4”

  1. David L

    Hi Graham,

    These issues are not new,but a recap from previous blogs. See referenced articles at the end. I have followed this from the beginning and after the partial fix in ios 8.1.3 then wrote about the "new" attack vectors. What Fireeye needs to do is verify the fixes And then write it up. Yes,many have become gun shy after Apple botched some updates,and so wait to see if there are any bugs before updating,and then forget,or don't care to update for what ever reasons. The title of fireeye's blog is a little like click bait, it should have said to be sure to update to ios 8.4 to fix these issues.

    That said,I am not an Apple fan. That they have so many vulnerabilities,and took almost a year to fix them,is the real story. Their last update fixed 80 vulns,50 of which were Safari related. And now,77 fixes,all which need an os update, means that Apple is less secure then Android. Apple is the new MS and should have a patch Tuesday before they become the new Adobe (-:

    1. Bob · in reply to David L

      Microsoft are much better than they used to be in terms of general security and patches. In fact Windows Phones are now THE most secure handset according to research from the University of Cambridge.

      Apple should really take a leaf from Microsoft's book – in Windows 10 all consumer streams of the OS will be updated automatically.

      Apple are terrible at repairing vulnerabilities and then they cover them up.

  2. David L

    A major controversy last year was the backdoored ios that Apple denied,but fixed none the less. There is still a vulnerability about pairings with other computers for anyone interested, Jonathan Zdziarsky was the forensic expert who wrote these issues up. His website has a wealth of information on Apple issues.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.