iOS 9.3.5 Blocks Remote Jailbreak
Less than a month after the release of iOS 9.3.4 (see “Apple Releases iOS 9.3.4 with a Single Security Fix,” 4 August 2016), Apple has released yet another security-focused iOS update: iOS 9.3.5.
The New York Times writes that this rapid release comes in response to what appears to be a government attempt to compromise the iPhone of Ahmed Mansoor, a prominent human rights activist based in the United Arab Emirates. Two weeks ago, he reported several suspicious SMS text messages to researchers at the digital rights watchdog group Citizen Lab. With assistance from the research team at Lookout, Citizen Lab was able to identify the texts as coming from an exploit infrastructure created by NSO Group, an Israel-based “cyber-war” company that makes phone surveillance software. The chain of exploits would have led to a remote jailbreak enabling the attacker — likely the UAE government — to install sophisticated spyware on Mansoor’s iPhone. Citizen Lab reported these vulnerabilities to Apple, which promptly fixed them in iOS 9.3.5; Citizen Lab’s report makes for fascinating reading — it’s a real-world thriller.
The three specific vulnerabilities, as outlined by Apple’s security note, involve bugs that could allow applications to disclose kernel memory or allow application execution and a vulnerability that would allow malicious Web sites to execute code.
It’s extremely unlikely that most people would be targeted by NSO Group’s exploit chain, given that it undoubtedly sells for big bucks. However, now that the vulnerabilities on which it relies have been blocked by iOS 9.3.5, it’s easy to imagine the price dropping significantly, enabling garden-variety miscreants to buy and use it against those who don’t update.
Since the result could be your iPhone being used to track your movements, record audio and video from your surroundings, snoop on messages in chat apps, and more, we recommend that you install iOS 9.3.5 as soon as possible. Download sizes vary, but it was about 38 MB on an iPhone 5s, and you can update via Settings > General > Software Update or through iTunes.
I have the download for iOS 9.3.5 for my iphone 5 and it is only 26.6 mb.
That's fascinating, since the screenshot comes from an iPhone 5s, updating from iOS 9.3.4. I wonder why it would be so different.
The plot thickens... Mine says 39.8 (a 6s updating from iOS 9.3.4). Sounds like the size is hardware-related...
My iPhone 6 was 36 MB
I saw the article in the paper (Troy Wolverton) and immediately started the download. It is still not complete over an hour later. I suspect that Apple is swamped with people anxious to protect their iPhones. Friday 10:45 AM PDT.
The download completed successfully by 10:57 AM PDT