Patches for iOS Security Wi-Fi Vulnerability Recently

Announced
By Manish Kumar Shrestha
Date :- July 25
A seemingly harmless WiFi hack was recently warned to iPhone owners all around
the world that it was not only potentially harmful, but also a real menace. That
threat level is now extremely real.(Respected) mobile security specialist ZecOps
has revealed that a severe "zero-click" bug was secretly patched in iOS 14.4 in
fresh research shown to me ahead of publication (without a CVE). Furthermore,
ZecOps research demonstrates that this vulnerability can be used to exploit the
latest (headline-grabbing) iPhone WiFi attack.
This turns it into a local privilege escalation (LPE) and remote code execution
(RCE) threat, as well as a relatively innocuous denial of service (DoS) threat. The
latter is a hacker's ultimate goal, as it allows them to remotely control your iPhone.
And Apple has yet to come up with a long-term solution.On july 21,Apple has
corrected this flaw in iOS 14.7, according to ZecOps, who conducted extensive
testing. "Format strings are going to remain a vulnerability class that is utilized for
exploit development," ZecOps CEO Zuk Avraham told me.The main conclusion is
that there are plenty of problems waiting to be identified, and we need to give
device owners and security operations centers broader access to scan mobile
devices." In a nutshell, expect variations of this exploit to resurface. On July 23,In
its official iOS 14.7 security notes, Apple verified the fix. After that, users were
safe.“A new WiFi vulnerability has surfaced in town. You undoubtedly noticed it
but didn't comprehend what it meant. “The recently disclosed ‘non-dangerous'
WiFi bug is dangerous,” cautions Zuk Avraham, CEO of ZecOps. “As part of our
investigation into this vulnerability, we discovered another silently patched format-
strings vulnerability that allows an attacker to infect an iPhone or iPad running iOS
14.3 or earlier without requiring any interaction with an attacker.
The term "0-click" refers to this style of attack (or zero-click). It is possible to
exploit this issue, and the same technique may be used to exploit the current
unpatched WiFi flaw in iOS 14.6".And this is where things start to go wrong. In its
current state, a user using iOS 14.6 would have to join a WiFi network with
specifically designed characters in its name (SSID) to be vulnerable, according to
ZecOps, which is likely to arouse suspicion and reduce prospective assaults.“Our
research team was able to design the network name in a way that does not expose
the user to the odd characters, making it look like a valid, existing network name,”
security experts AirEye said earlier this month.
Apple's defense is that recent betas of iOS 14.7 suggest the company is working
on a patch, but AirEye CTO Amichai Shulman warns that these airborne attacks
are a "new and as-yet unexplored threat vector [and] given their covert nature,
we're certain to see more such attacks."