Forgot your password?
typodupeerror
Security Apple

Two Unpatched Flaws Show Up In Apple iOS 171

Posted by samzenpus
from the rotten-apple dept.
Trailrunner7 writes "The technique that the Jailbreakme.com Web site is using to bypass the iPhone's security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities. One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple's mobile devices, including the iPad and iPod Touch, display PDFs. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox. The combination of the two vulnerabilities — both of which are unpatched at the moment — gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store."
This discussion has been archived. No new comments can be posted.

Two Unpatched Flaws Show Up In Apple iOS

Comments Filter:
  • by mrsteveman1 (1010381) on Wednesday August 04, 2010 @08:12PM (#33145542)

    Back when Apple was trying to convince the public to accept this locked down app store model, one of the justifications was malware protection, specifically Jobs himself cited bluetooth worms. But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop. The only other attack vector that Apple stops with this model is the fake screensavers, but apparently they aren't so good at catching unwanted code in the app store either, i believe there was a personal information theft app a few months back and just a few weeks ago there was a covert tethering app.

    So i have to ask, if a website can line up a few exploits like this and compromise the entire device to the level needed to actually break the chain of trust Apple has created, what is the point of all this shit? Just so Apple can control their OS environment like a dictator?

    • by SuperKendall (25149) on Wednesday August 04, 2010 @08:39PM (#33145772)

      But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop

      You just made the argument for why users should only use applications vetted from a store instead of the general web.

      Happily the iPhone actually doesn't impose any restrictions on web use.

      I just thought it was odd you were trying to argue against the security benefits of a closed app store using a bug in a totally open browser model.

      The point of the app store would then be that the more applications users used, the less exposed they would be to web bugs. We know attackers inject exploits into popular websites all the time.

      • by h4rr4r (612664)

        Considering that tethering and malicious apps have made it through the store is not a safety guarantee.

        • Considering that tethering and malicious apps have made it through the store is not a safety guarantee.

          No-one ever said it was. Security can never be absolute. That's why security is a matter of percentages, and layers... multiple layers work better to protect users. Note this flaw required two exploits to come into alignment, a pretty rare event.

          Yes app store reviews can miss things. But App Store apps can be pulled from all devices suddenly with no user involvement (as Google recently had to do). A

      • by Mr2001 (90979)

        I just thought it was odd you were trying to argue against the security benefits of a closed app store using a bug in a totally open browser model.

        On an open platform, you'd be able to use a third-party browser when flaws like this are discovered in the built-in browser.

        On the iPhone, however, you're stuck with Apple's browser core (no pun intended). Third parties are allowed to post their own WebKit skins in the app store, but those are likely to feature all the same bugs.

        • On an open platform, you'd be able to use a third-party browser when flaws like this are discovered in the built-in browser.

          You could always use Opera MINI on the iPhone.

          However it's a poor argument in this case as any third party browser you used would still hand the PDF off to the vulnerable system library to parse and display...

          • by Mr2001 (90979)

            You could always use Opera MINI on the iPhone.

            Opera Mini's server-side rendering and minimal interactivity make it unsuitable to replace a native browser for general use, as I'm sure you're aware.

            However it's a poor argument in this case as any third party browser you used would still hand the PDF off to the vulnerable system library to parse and display...

            ... unless it didn't. Third-party browsers could use third-party PDF rendering libraries.

            • by shmlco (594907)

              "... unless it didn't. Third-party browsers could [sic] use third-party PDF rendering libraries."

              Unless they didn't.

              • by Mr2001 (90979)

                Sure. Point is, iPhone developers are forbidden from writing and distributing browsers that use non-Apple rendering technology. When a bug like this is found, all users can do is hope that Apple fixes it quickly.

                On open platforms, developers have no such restriction. If a bug like this hit Android, you'd probably see third-party browsers on the market soon after that didn't have the same bug -- in fact, there's already a version of Firefox for Android, and there are multiple PDF viewers.

    • by JAlexoi (1085785)
      It's all about the money! No control = no money.
  • by by (1706743) (1706744) on Wednesday August 04, 2010 @08:21PM (#33145616)
    Although various Windows versions may well be less secure than their contemporary Mac versions, Windows was always more vulnerable simply because there was a bigger incentive to attack it (i.e., more users).

    Seems that Apple is now paying the price for popularity.
    • The price not paid (Score:2, Insightful)

      by SuperKendall (25149)

      Seems that Apple is now paying the price for popularity.

      What price? There are as yet no malicious attacks that make use of this attack vector. The only thing that does is using it as a utility that the user invokes on purpose, and even has to swipe to activate it!

      Currently Apple users are not paying any price despite having a very popular mobile platform that every now and then has well-publicised vulnerabilities. Hmm.

      • Re: (Score:2, Funny)

        by beej (82035)

        Currently Apple users are not paying any price despite having a very popular mobile platform that every now and then has well-publicised vulnerabilities. Hmm.

        Apple products are only free if your money is not worth anything. ;-)

      • Re: (Score:3, Insightful)

        by Dragonslicer (991472)

        There are as yet no malicious attacks that make use of this attack vector.

        That we know about.

        • That we know about.

          True, but if we have not heard of any then the infection rate is pretty low - after all you have to get the exploit up on a site and then get the person to visit that with the iPhone browser.

          I would argue that most browser use on mobile devices is going to well-known sites (like your favorite news site, bank, etc) so the chances of a rogue website affecting random users seems pretty low.

          Given there's working example code showing how to use the exploit you would actually expect something h

          • by rvw (755107)

            That we know about.

            True, but if we have not heard of any then the infection rate is pretty low - after all you have to get the exploit up on a site and then get the person to visit that with the iPhone browser.

            If you get an "innocent" app in the appstore, it's not that difficult. Using the browser engine in an app is not unusual, and that app could visit an innocent url in the background, without the user seeing anything. When the app is accepted in the appstore, the url can be redirected to an attack site, which still could work in the background - et voila! When the device is rooted by that website, it could as well execute some other code and install a rootkit.

      • by JAlexoi (1085785)
        Yeah... We all know that no-one opens that email file attachment titled "Nude pictures of (insert your favorite hot and young famous person).txt.exe".
  • by trboyden (465969) on Wednesday August 04, 2010 @08:56PM (#33145880) Homepage
    This just in... Apple bans PDFs on Apple devices... Steve Jobs was quoted as saying "PDFs are yesterday's portable documents - nobody uses them anymore. So we've decided to stop supporting PDFs on Apple devices. In addition, we've decided to not allow any media on our devices that you can't obtain through the iTunes Store. This way nobody can make our devices unstable and insecure like kernel vulnerabilities and overheating chipsets - oh wait..."
  • by Calibax (151875) * on Wednesday August 04, 2010 @08:56PM (#33145888)

    I don't know if this scenario is valid, as I don't have an iPhone that can run iOS4. But here goes anyway.

    So someone takes their iPhone and jailbreaks it. The two bugs that allowed this are still present in the jailbroken phones so the phones can also be pwned by anyone who comes up with a different exploit that uses these bugs. Clearly the phones can't be updated to 4.1 (as they are jailbroken) so unless someone produces patches independently of Apple they will remain in these jailbroken phones until they are discarded or reset to the official post 4.1 iOS. I wonder how many non-geeks who are persuaded to jailbreak their phones will realize this.

    Here's the root of the issue. When someone decides to use an exploitable bug for their own purposes they are not doing any favors for themselves or their users. Exploitable bugs should be reported so they can be fixed, not used to develop your own products - however popular the products might be in some circles. That might well be an unpopular view in this forum, but there it is.

    • Clearly the phones can't be updated to 4.1

      Why not? Jailbreaking doesn't prevent all the normal system stuff from operating as it should, you still sync with iTunes and it would still check for updates. The only downside is that it MAY break the jailbreaking. But even then something like MiFi might well still work.

      so unless someone produces patches independently of Apple

      Jailbreakers may well do that, they sometimes make modification to system apps as part of the jailbreak.

      I've always said that when you j

    • by number17 (952777)
      1) The community has a fix for the exploit [ http://obamapacman.com/2010/08/cydia-pdf-loading-warner-helps-prevent-ios-security-hole-exploit/ [obamapacman.com] ] 2) As you mentioned, when 4.1 or 4.0.1 is released just upgrade and jailbreak
    • by jd2112 (1535857)

      Exploitable bugs should be reported so they can be fixed, not used to develop your own products - however popular the products might be in some circles. That might well be an unpopular view in this forum, but there it is.

      Back in the days when Windows 3.x and 95 roamed the Earth that was the most common way to compete with Microsoft and their undocumented APIs.

  • by gig (78408) on Wednesday August 04, 2010 @10:57PM (#33146476)

    Apple announced earlier today that they already have a fix and it will roll out soon. It takes about 2 weeks to update half the platform, and another month to get most of the rest.

  • by chrism238 (657741) on Thursday August 05, 2010 @12:08AM (#33146826)
    Will Apple just place the patch in a PDF file on their website, for us all to download and auto-install?
  • WTF (Score:3, Insightful)

    by pootypeople (212497) on Thursday August 05, 2010 @12:58AM (#33147020)

    Everyone does realize that the OS of their smartphone has no relation to dick size, right?

    What the hell are folks arguing about, anyways? I would figure it's pretty awesome we live in an age where we can decide from multiple choices what advanced operating system will run our phone. That actually gets toward shit I wouldn't have expected growing up.

    But I guess folks have been getting pissed about other people's choice of OS for years. I really wish I understood why people get so pissed about that sort of thing. Operating systems are tools, not cults.

"Life, loathe it or ignore it, you can't like it." -- Marvin the paranoid android

Working...