[ Ars Technica ] Dan Goodin:
The vulnerability resides in a widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices. Apple patched the vulnerability with Monday’s release of iOS 10.3.1. “An attacker within range may be able to execute arbitrary code on the Wi-Fi chip,” Apple’s accompanying advisory warned. In a highly detailed blog post published Tuesday, the Google Project Zero researcher who discovered the flaw said it allowed the execution of malicious code on a fully updated 6P “by Wi-Fi proximity alone, requiring no user interaction.”
Gal Beniamini developed the exploit. Google is working on a patch, but the patch will take some time, and some smartphones — even fairly new ones — will at times never get patched. Allowing smartphone brands such as HTC, Huawei, LG, Motorola, Samsung, Sony, etc. to push their own versions of Android becomes an Achilles’s Heel when a security patch needs to be distributed quickly and to all affected Android smartphones. As a precaution turn off WiFi connectivity in public locations; it may not be safe enough not to connect to unverified WiFi signals.
If you’re an iPhone (iPhone 5 and newer) user, patch your iPhone. iPhone 4s and older iPhone users: I’d recommend upgrading to an iPhone SE, the most affordable new iPhone Apple is currently selling.