On Monday, the University of Johns Hopkins published a report revealing a flaw in Apple’s iMessage service. It was resolved the same day with the release of iOS 9.3, but a bigger, more dire flaw exists within this week’s disclosures that would allow a hacker remote code execution over Wi-Fi. The bug, ID CVE-2016-0801, is described as:
The Broadcom Wi-Fi driver allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted wireless control message packets.
This means that hackers connected to your Wi-Fi network could infiltrate your device and begin executing harmful code. It’s the same security lapse that, up until last month, was present on Android Nexus devices. Google considered the issue to be critical:
Multiple remote execution vulnerabilities in the Broadcom Wi-Fi driver could allow a remote attacker to use specially crafted wireless control message packets to corrupt kernel memory in a way that leads to remote code execution in the context of the kernel. These vulnerabilities can be triggered when the attacker and the victim are associated with the same network. This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction.
There has been a lot of discussion surrounding the security of Apple devices with its ongoing fight against the FBI and encryption policies. Thankfully, Apple hasn’t been too bogged down with that to roll out a patch for this issue in the iOS 9.3 update that first became available midday on Monday. If you haven’t yet updated to the latest version of iOS, now would definitely be the time to do so.