Two Unpatched Flaws Show Up In Apple iOS

Trailrunner7 writes "The technique that the Jailbreakme.com Web site is using to bypass the iPhone's security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities. One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple's mobile devices, including the iPad and iPod Touch, display PDFs. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox. The combination of the two vulnerabilities — both of which are unpatched at the moment — gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store."

Re:Lol apple

[pclminion]

How do you know millions of phones aren't already compromised? They could just be sitting there quietly, waiting for the dust to settle a bit.

Do we need antivirus/antimalware on smart phones now? Welcome to the 21st century.

Re:Flaw?

[strayant]

I'd say both, and wonder, is their code open to scrutiny? I'd love to see someone verify and certify that there's nothing malicious with their code. One can argue, however, that any other site could use this in a harmful manner. This is a *real* concern. So while the jailbreak is nice, what isn't so nice?

Re:Lol apple

[tacarat]

I remember my old brick of a cell phone back in the 90s. No published exploits yet. Sometimes simpler is better...

Re:Rather unlikely scenario required

[Spy Hunter]

Um, the fact that jailbreakme.com works is proof that all those things are lining up perfectly. This is a real working exploit.

Falsely implied security

[mrsteveman1]

Back when Apple was trying to convince the public to accept this locked down app store model, one of the justifications was malware protection, specifically Jobs himself cited bluetooth worms. But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop. The only other attack vector that Apple stops with this model is the fake screensavers, but apparently they aren't so good at catching unwanted code in the app store either, i believe there was a personal information theft app a few months back and just a few weeks ago there was a covert tethering app.

So i have to ask, if a website can line up a few exploits like this and compromise the entire device to the level needed to actually break the chain of trust Apple has created, what is the point of all this shit? Just so Apple can control their OS environment like a dictator?

Re:Flaw?

[maxume]

The 'remote' part of the exploit sort of shits all over the 'feature' argument.

Re:Lol apple

[pushing-robot]

BlackBerry? Symbian?

Re:Lol apple

[mini me]

I am not sure why people keep quoting that article when it comes to OS share. Apple sells more iPod touches [theappleblog.com] and iPads [ngonlinenews.com] than iPhones. Android barely squeaks past just iPhone and only in the US market. I do expect that one day Android will dominate the market, but it has a long way to go.

Re:Flaw?

[Anonymous Coward]

The problem is, it doesn't just allow you to jailbreak your phone. It allows anyone who can get you to view a pdf in the browser to own your phone -- that makes it a flaw, most definitely.

Security-through-obscurity no more

[by (1706743)]

Although various Windows versions may well be less secure than their contemporary Mac versions, Windows was always more vulnerable simply because there was a bigger incentive to attack it (i.e., more users).

Seems that Apple is now paying the price for popularity.

The price not paid

[SuperKendall]

Seems that Apple is now paying the price for popularity.

What price? There are as yet no malicious attacks that make use of this attack vector. The only thing that does is using it as a utility that the user invokes on purpose, and even has to swipe to activate it!

Currently Apple users are not paying any price despite having a very popular mobile platform that every now and then has well-publicised vulnerabilities. Hmm.

didn't you just argue FOR the app store?

[SuperKendall]

But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop

You just made the argument for why users should only use applications vetted from a store instead of the general web.

Happily the iPhone actually doesn't impose any restrictions on web use.

I just thought it was odd you were trying to argue against the security benefits of a closed app store using a bug in a totally open browser model.

The point of the app store would then be that the more applications users used, the less exposed they would be to web bugs. We know attackers inject exploits into popular websites all the time.

You missed his point...

[Anonymous Coward]

Apple pretends controlling the app store is enough to prevent malicious code, while this exploit shows that you have to also consider malicious data which injects code via existing "vetted" apps with data handling bugs (since proving app safety during vetting is far from a solved problem). The iPhone continues to become a general purpose computer as long as vetted apps do more and more complex things with data that is obtained from external sources.

I await the audible or visual hack that gets a malicious pattern in through the microphone or camera, and then triggers bugs in the apps that try to do clever things with sound, image, or video!

Re:The price not paid

[Dragonslicer]

There are as yet no malicious attacks that make use of this attack vector.

That we know about.

Good point, but then it doesn't matter

[SuperKendall]

That we know about.

True, but if we have not heard of any then the infection rate is pretty low - after all you have to get the exploit up on a site and then get the person to visit that with the iPhone browser.

I would argue that most browser use on mobile devices is going to well-known sites (like your favorite news site, bank, etc) so the chances of a rogue website affecting random users seems pretty low.

Given there's working example code showing how to use the exploit you would actually expect something harmful pretty soon, but I've seen no signs of anything. Perhaps anyone who would target it figures since a patch will be out in a few days there's not enough potential gain.

Re:Flaw?

[squidinkcalligraphy]

Certain a feature, if by feature you mean a remotely exploitable root vulnerability. Yes, definitely a feature. For crackers.

For the rest of us it's a pretty critical flaw, namely one that can 0wn yr ph0ne by visiting a malicious website.

Re:You missed his point...

[mrsteveman1]

What makes you think the apps are safely sandboxed if the browser isn't? If the browser isn't sandboxed at all, why the fuck not? If it is and this still happened, then the sandbox isn't all that effective, especially if you can get someone to run code locally and call native APIs.

Re:Lol apple

[PopeRatzo]

More secure does not equal completely secure.

Another way to put it might be: "If it's not completely secure, it's not secure at all".

Re:Lol apple

[icebraining]

Of course it's with your phone:

Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. Even though the GSM spec requires it, this is a deliberate choice of the cell phone makers, Paget said."

Your phone should warn you and it doesn't. It's a vulnerability in your phone.

Browser is sandboxed

[SuperKendall]

What makes you think the apps are safely sandboxed if the browser isn't?

For one thing, I'm an iPhone developer so I know the exact constraints of the application sandbox.

But also - the browser is sandboxed. Read details of the attack, it breaks the browser but then ALSO uses a second attack to escape the browser sandbox. The question is if the same thing is possible for any application, or if the sandbox exit is unique to Safari.

But having two exploits in alignment is a rare thing. It's rare enough that exploitable bugs in both systems will be hard to come by, and if malware writers are not exploiting the current bug in Safari why would they do so with the much smaller attack space of any one application?

WTF

[pootypeople]

Everyone does realize that the OS of their smartphone has no relation to dick size, right?

What the hell are folks arguing about, anyways? I would figure it's pretty awesome we live in an age where we can decide from multiple choices what advanced operating system will run our phone. That actually gets toward shit I wouldn't have expected growing up.

But I guess folks have been getting pissed about other people's choice of OS for years. I really wish I understood why people get so pissed about that sort of thing. Operating systems are tools, not cults.