Check Point researchers have demonstrated a flaw in SQLite by showing how it could be used on Apple iPhones.
Researchers at Check Point Software Technologies Ltd. have discovered a flaw in one of the most-deployed pieces of software in the world that undergirds the contacts list on Apple Inc. iPhones and plays an important in nearly every popular computing platform.
The SQLite database engine is used in operating systems, desktops and mobile phones — including iOS and MacOS, Alphabet Inc.’s Chrome browser and Android operating system, Microsoft Corp.’s Windows 10, as well as Safari and Firefox web browsers. SQLite is also used in products from Dropbox Inc., Adobe Inc., and others.
As a proof of concept, the researchers say they were able to surreptitiously gain greater access to iOS privileges. “If successful, the intruder owns your iPhone” and the information on it, Omri Herscovici, the security research team leader at Check Point who authored the 82-page report, told MarketWatch in a phone briefing.
Check Point said it informed Apple in March and the company issued a patch in May.
MacDailyNews Take: Patched. At least by Apple. With any of those other operating systems, desktops and mobile phones, your mileage may, and very likely will, vary greatly.
If you haven’t updated your iPhone, iPad, and/or iPod touch software since May, do so ASAP.
What hyped up BS. You need physical access to the unlocked phone. At that point you could do whatever you wanted with the fricking thing and install any sort of malware you want…why would you go through the trouble to replace the Contacts database with something that will inject malware when called?
“Check Point demonstrated at the show how an attack against SQLite could be used to bypass the iPhone’s secure boot mechanism in iOS by replacing the contacts database (AddressBook.sqlitedb) prior to reboot with a rogue database — leading to privilege escalation” https://threatpost.com/sqlite-exploits-iphone-hack/147203/
Much ado about NOTHING.
It’s still wise to get the patch. Anything that can lead to privilege escalation is something that can potentially can combined with other vulnerabilities to widen the attack vector.
In other words, I’m glad researchers discovered this, reported it to Apple, Apple patched it, and now journalists are reminding people to update.
Seems to me like this is an appropriate amount of ‘ado about’ something a bit important — unlike your conclusion, JimBob.