Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Apple Fixes Jailbreak Vulnerabilities With Release of iOS 8.1.1

Apple’s first update for the iOS 8.1 mobile operating system includes bug fixes, increased stability and performance improvements for older devices, and also addresses several security issues.

Apple’s first update for the iOS 8.1 mobile operating system includes bug fixes, increased stability and performance improvements for older devices, and also addresses several security issues.

iOS 8.1.1 fixes a total of 9 vulnerabilities affecting components such as the CFNetwork framework, the dyld dynamic link editor, the kernel, the lock screen, sandbox profiles, the search system Spotlight, and the browser engine WebKit.

The CFNetwork flaw (CVE-2014-4460) caused browsing data to remain in the cache after closing a private browsing session. Ashkan Soltani has discovered that a user’s approximate location is included in the initial connection between Spotlight or Safari and the Spotlight Suggestions server (CVE-2014-4453).

iPhone Security UpdatesTwo lock screen security bugs have been addressed with the release of iOS 8.1.1. Stuart Ryan of the University of Technology, Sydney noticed that an attacker with physical access to a device could exceed the maximum number of failed passcode attempts (CVE-2014-4451). Researchers also found a lock screen issue that could have been leveraged to access content in the Photo Library (CVE-2014-4463).

Memory corruption vulnerabilities in WebKit (CVE-2014-4452, CVE-2014-4462), which could have led to arbitrary code execution or unexpected application termination, have also been fixed by Apple.

The other three vulnerabilities have been uncovered by the Pangu Team, a Chinese group that specializes in jailbreaking iOS.  According to Apple, the sandbox profiles flaw (CVE-2014-4457) can be exploited to launch arbitrary binaries on a trusted device, the kernel vulnerability (CVE-2014-4461) can be used by a malicious application to execute arbitrary code with system privileges, while the dyld bug (CVE-2014-4455) can be leveraged by a local user to execute unsigned code.

These vulnerabilities have been used by the Pangu Team in their jailbreak. The hackers confirmed that their jailbreak no longer works since Apple released iOS 8.1.1 for developers.

Advertisement. Scroll to continue reading.

Earlier this month, researchers at security firm FireEye revealed the existence of an iOS vulnerability that can be leveraged to replace genuine applications with illegitimate apps. A limited form of this attack, which FireEye dubbed “Masque,” was used by the recently uncovered WireLurker malware, a threat that is believed to have infected the devices of hundreds of thousands of users in China.

The malware, whose alleged developers were arrested by Chinese authorities last week, had been distributed via rogue Mac OS X applications. The threat transferred malicious iOS apps onto devices connected to the infected computer through the USB port. WireLurker had leveraged a form of the Masque attack to target devices through USB.

Apple took some steps to protect its customers against WireLurker shortly after the existence of the threat came to light. However, the vulnerability used in Masque attacks, which FireEye reported to Apple in July 26, has not been fixed. The flaw affects iOS 7.1.1, 7.1.2, 8.0, 8.1 and apparently 8.1.1.


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...