Skip to main content

Apple fix iPhone coma vulnerability issue

Researchers say that Apple fixed a vulnerability which could put an iPhone into an eternal comatose state, The Register reports.

The flaw (CVE-2015-1118) dubbed "Phantom" allows attackers who can trick users into changing their iDevice proxy settings to tap into multiple use-after-free vulnerabilities. If they do change the settings, it starts crashing their apps, and if they try to reboot the phone, it will fall into a “coma”.

FireEye bods Zhaofeng Chen; Hui Xue; Tao Wei, and Yulong Zhang, say attackers could set up large Wi-Fi hotspots to con Apple users into altering their settings and destroying their phones.

"An attacker may distribute a malicious [configuration] profile containing proxy settings to users connected to a given Wi-Fi hotspot. If the attacker has convincing social-engineering skills, a user who does not understand the security risks might proceed to install a malicious profile [and] the attacker can then modify the victim’s proxy settings to launch Phantom attacks," they wrote in a blog post.

"Configuring HTTP proxy to abnormal values triggers multiple use-after-free (UAF) issues in libsystem_network.dylib. This vulnerability can lead to several undesired security consequences, e.g. most of networking apps will crash immediately, including system components; the system will respond sluggishly, and it is even not able to reboot successfully."

The team says admins of Wi-Fi hotspots should deliver content over HTTPS, while system admins should force users to upgrade their Apple devices.