Forgot your password?
typodupeerror
Security Apple

Two Unpatched Flaws Show Up In Apple iOS 171

Posted by samzenpus
from the rotten-apple dept.
Trailrunner7 writes "The technique that the Jailbreakme.com Web site is using to bypass the iPhone's security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities. One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple's mobile devices, including the iPad and iPod Touch, display PDFs. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox. The combination of the two vulnerabilities — both of which are unpatched at the moment — gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store."
This discussion has been archived. No new comments can be posted.

Two Unpatched Flaws Show Up In Apple iOS

Comments Filter:
  • Re:Lol apple (Score:4, Informative)

    by Some.Net(Guy) (1733146) on Wednesday August 04, 2010 @08:08PM (#33145520) Homepage

    iOS is the biggest mobile operating system player right now

    Yep, it sure is. I mean, if you don't count Android [trendsupdates.com]

  • Re:Lol apple (Score:5, Informative)

    by h4rr4r (612664) on Wednesday August 04, 2010 @08:30PM (#33145692)

    iOS is not the biggerst mobile operating system in any way shape or form. RIM has far more devices in North America and Nokia rules the rest of the world.

  • Re:Lol apple (Score:3, Informative)

    by MichaelSmith (789609) on Wednesday August 04, 2010 @08:39PM (#33145768) Homepage Journal

    Somebody could rewrire the phone lines to my house too, but I don't count that as a vulnerability in the simple electronics in my land line phones.

  • by SuperKendall (25149) on Wednesday August 04, 2010 @08:42PM (#33145796)

    Often the patches will not undo already jailbroken systems. So there's that possibility.

    But if someone finds they like the jailbreaking, they can just use whatever mechanism will come along to jailbreak 4.1. Usually it's not as dramatic as a browser bug and it involves running an application on your main computer to alter your attached device, but it's easy enough for anyone interested to keep going.

    Another option is that jailbreakers can simply replace the 4.0 PDF library with the 4.1 version (if compatible).

  • by somenickname (1270442) on Wednesday August 04, 2010 @08:45PM (#33145812)

    Count Android all you like, if you count every Android device sold to date it would not equal the number [cnn.com] of iPhone and iPod Touch units sold.

    The Touch (and iPad) all run the same mobile iOS the phones do.

    Note that link was from back in 2009...

    Android and iOS combined don't even come close to Symbian.

  • Re:Lol apple (Score:5, Informative)

    by somenickname (1270442) on Wednesday August 04, 2010 @09:02PM (#33145918)

    That page doesn't say that at all. You've quoted numbers (and even incorrectly inflated the iOS numbers by instead quote the linux desktop numbers) about browser strings. If you scroll down, you will see a VERY different picture of the marketplace for mobile devices (including iPhone, iPad and iPod):

    From Gartner:

    Symbian: 44.3%
    Blackberry: 19.4%
    iOS: 15.4%
    Windows Mobile: 6.8%
    Android: 9.6%
    Linux: 3.7%
    Other: 0.7%

    Even allowing for a hefty margin of error, compared to Symbian, iOS is a very distant third.

  • Re:Patched in 4.1... (Score:3, Informative)

    by Anubis350 (772791) on Wednesday August 04, 2010 @09:05PM (#33145930)
    Actually, at the moment, only jailbreakers can be *safe* from this vulnerability. Google "PDF Loading Warner". Ironic, isn't it?
  • Re:Lol apple (Score:4, Informative)

    by mini me (132455) on Wednesday August 04, 2010 @09:38PM (#33146140)

    The Gatner article you are referring to clearly states that those marketshare numbers are for cell phones. The majority of iOS devices are not cell phones at all.

  • Re:Lol apple (Score:2, Informative)

    by Anonymous Coward on Wednesday August 04, 2010 @09:48PM (#33146178)

    Those stats are just 1Q2010 sales, which may not be indicative of the total market share of phones currently in use. It's still a much better statistic than the one based on User-Agent strings though. With phones being replaced on average every 2 years though, one quarter worth of sales is an okay indicator, although Blackberry hasn't released too many phones recently.

    The ComScore list appears to be better although they don't really say what their methodology is. They don't include Nokia in their list of smartphones and only have stats on US subscribers though...

    (May 2010)
    RIM 41.7%
    Apple 24.4%
    Microsoft 13.2%
    Google 13.0%
    Palm 4.8%

  • Re:Flaw? (Score:3, Informative)

    by Mr2001 (90979) on Wednesday August 04, 2010 @10:20PM (#33146296) Homepage Journal

    I'd suspect even Google would make more effort to lock down Android if stuff like Installous was floating around there (is it? I have no idea).

    You don't need anything like Installous on Android, because Android doesn't limit where you can install apps from. Once you check the "Allow installation of non-Market applications" option, you can just point the browser at a link to a .apk file.

    Google is addressing paid-app piracy, but not by locking down the OS. Instead, they're letting apps check with Google's servers to verify that the app has been purchased by the person who's running it.

  • Re:Lol apple (Score:3, Informative)

    by exomondo (1725132) on Wednesday August 04, 2010 @11:40PM (#33146690)

    iOS is the biggest mobile operating system player right now

    bullshit! [cnet.com]

Suburbia is where the developer bulldozes out the trees, then names the streets after them. -- Bill Vaughn

Working...