With the unveiling of iOS 17, a wave of newly identified vulnerabilities has been addressed. These vulnerabilities encompassed various aspects, including kernel vulnerabilities and WebKit exploits. However, what sets iOS 17 apart is the swift response to an even more menacing threat – a comprehensive spyware exploit chain detected in the wild.
iOS 17 expediently countered this espionage threat with a multifaceted defense. The chain of exploits included a WebKit vulnerability acting as the entry point, a CodeSign/CoreTrust vulnerability enabling unsigned iOS binaries to execute, and a Remote Code Execution (RCE) vulnerability, granting kernel privileges.
Interestingly the WebKit vulnerability
along with other components of this chain, could potentially serve peaceful purposes, such as facilitating a jailbreak. It’s a surprising twist that highlights the dual nature of these vulnerabilities.
However, a peculiar development unfolded after the patching of CVE-2023-41993, the Webkit vulnerability, in iOS 17.0. Subsequent updates, namely iOS 17.0.1, iOS 17.0.2, and iOS 17.0.3, seemed to have resolved the issue. Yet, a twist emerged with the release of iOS 17.1 Beta, as it reintroduced the same bug. Consequently, iOS 17.0 and iOS 17.1 Beta users can continue to exploit the WebKit vulnerability to their advantage. This situation has raised eyebrows regarding Apple’s patching process.
iOS 17 Safari/WebKit Vulnerability Unveiled Notably
a few days ago, a developer by the handle @po6ix presented a proof of concept for CVE-2023-41993, the WebKit vulnerability, on their GitHub account. This code release revealed fundamental techniques to trigger the WebKit vulnerability, which, once exploited, provides full control over the web content process. This vulnerability could potentially be linked with other exploits, such as kernel exploits or PPL bypasses, to create a jailbreak accessible directly from Safari.
Affected and Unaffected iOS Versions Understanding which iOS versions are impacted and unaffected is essential. The WebKit vulnerability affects iOS 17.1 Beta, iOS 17.0, and potentially iOS 16.1. In contrast, iOS versions such as 16.1.1, 16.2, 16.5, 16.5.1, 16.6 beta 1, 16.6.1, 16.7.1, and 17.1 RC remain unaffected, as does iPadOS 17 beta 1.
The Advantages of a Safari-Based Jailbreak
Compared to traditional IPA-based jailbreaks, a Safari-based jailbreak offers several compelling advantages, primarily in terms of convenience. These benefits include:
- No 7-Day Re-Signing: With a Safari-based jailbreak, there’s no need for the hassle of re-signing every seven days, as there’s no IPA or app to continually renew via AltStore.
- Convenience: Initiating the jailbreak is as simple as visiting a website in Safari and clicking a button on the webpage.
- Live Updates: The absence of an IPA means any adjustments made to the triggering webpage automatically apply to all users during re-jailbreaks, eliminating the need for user intervention.
It remains to be seen whether this WebKit vulnerability will be harnessed for a jailbreak, but its potential is undoubtedly promising. The duality of these vulnerabilities underscores the complex landscape of mobile device security.
