Apple adjusts ISA pointers in iOS to make zero-click exploits more difficult
Apple will make it harder for attackers to attack iPhones without user intervention. The company will now authenticate ISA pointers in the OS so that memory corruption bugs and sandbox escapes are less likely to occur.
The change is in the beta version of iOS 14.5, the upcoming version of the operating system. That’s what several security researchers say to Motherboard after getting started with the beta. In iOS 14.5, Apple adds Pointer Authentication Codes or PACs to ISA pointers. An ISA pointer allows a program to determine which code it should address. Until now, those pointers were not authenticated with PACs. That made it possible to point apps to other code via ISA pointers.
Exploiting ISA pointers in iOS was primarily used to allow apps to escape the sandbox. However, it could also be used to perform a zeroclick exploit, an exploit where a user does not have to click or install anything. Such exploits are rare and are sold for a lot of money. Zeroclick attacks yield between $250,000 and $1 million in Apple’s own bug bounty program.
The security researchers Motherboard spoke with say the new method makes it much more difficult to execute such exploits. According to Apple, zeroclick exploits usually need to be able to link different vulnerabilities together, and therefore the risk never disappears completely.