A major bug has been detected in Apple’s iOS through which attackers can overwrite files and insert a signed app on a target device, which will then be fooled into trusting with no prompt to the actual user, according to ThreatPost.
Mark Dowd, founder and director of Azimuth Security, discovered the flaw and said he was able to exploit it over AirDrop, Apple’s sharing system that allows users to transfer documents to other Apple devices. An attacker can gain entry to the OS library on a targeted device should a user have a preference set to allow connections from anyone, Dowd said. This could occur on a locked device, even without the user’s knowledge.
Dowd reported the vulnerability to Apple and the company will include a mitigation for it in iOS 9, due out Wednesday. However, ThreatPost reported it is not a full patch.