UPDATED 00:54 EST / MARCH 28 2017

APPS

New Apple iOS release patches flaw that allowed browser hijacking

Apple Inc. has released a new update for iOS devices that patches a flaw in its Safari browser that allowed hackers to execute a “scareware” campaign designed to trick people into buying unnecessary antivirus software.

First discovered by mobile security firm Lookout Inc., the vulnerability allowed nefarious actors to abuse the pop-up dialogs in Safari in a away that it would lock out users from accessing the browser. Once a user was blocked from web surfing, a message would appear demanding that the victim pays money in the form of an iTunes gift card to have control returned, complete with threatening messages.

Lookout told SiliconANGLE via email that the attack used the app sandbox of the Safari browser with no exploit code. The app sandbox is a standard feature on both iOS and macOS that provides access control authority intended to contain damage to the system and user data if an app becomes compromised.

In a separate blog post, the company noted that the scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com. The attackers apparently named it with the intent of scaring users looking at certain types of material on the Internet, such as pornography or illegal music downloads, into paying money.

Surprisingly, overcoming a hijacked browser is as simple as clearing the cache:

Lookout determined the best course of immediate action for the user who initially reported it was to clear the Safari cache to regain control of the browser. (Settings > Safari > Clear History and Website Data) Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated.

The other alternative is to download iOS 10.3, which includes a patch that prevents these sorts of attacks happening to begin with.

Image: Lookout

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU