Several malware researchers have claimed that a change that will be introduced in iOS 14.5 will make it more difficult to exploit the “Zero Click” vulnerability, thereby protecting user equipment. It is reported that Apple quietly changed the way the code runs on the iOS 14.5 Beta test version, and more details are expected to be disclosed in the next public push.
Specifically, the company added Pointer Verification Code (PAC) to protect users from attacks that inject malicious code through memory corruption. Before calling, the system will verify the so-called ISA pointer, which is a security feature that tells the iOS program what code to run.
A researcher pointed out that during the reverse engineering work in early February, he discovered this new change introduced in the iOS 14.5 Beta test version. At the same time, Apple also shared some details about PAC in the new version of the “Platform Security Guide” that was publicly released on February 28.
Researchers told Motherboard that this security mitigation measure will make the process of exploiting zero-click vulnerabilities more difficult to achieve. This type of attack specifically means that the attacker can invade the iPhone without any intervention by the user, and even escape from the sandbox security mechanism built in iOS isolation through complex technical means.
An Apple spokesperson also said in an interview with foreign media that the company believes that this change will make zero-click vulnerability attacks more difficult to achieve, but also added that device security does not depend on a single mitigation strategy, but requires With a series of combination punches.
Security researchers said that although it cannot be completely ruled out, the new measures can raise relevant standards and greatly increase the cost of using such attacks.
Prior to this, the zero-click vulnerability has been used in several high-profile attacks against iPhone users. For example, in 2016, the UAE used a hacker tool called Karma to hack into hundreds of iPhones.
In addition, a report in 2020 indicated that the zero-click vulnerability was used to monitor the iPhones of 37 journalists, and the Google Project Zero security team also discovered other potential zero-click attacks.