Two Unpatched Flaws Show Up In Apple iOS

Flaw? by nurb432 · 2010-08-04 12:03 · Score: 0, Troll

Or feature?

Since its allowed many of us to jailbreak our devices id say its a feature. But one they will want to patch to prevent it. To bad if we don't, we are vulnerable to legitimate attacks.

Now that the feds have officially said we can do this with out any legal repercussions ( well, duh...), why cant Apple just open it up with a disclaimer " yes, here is the unlock code, but if you use it, you void your warranty " then track who uses their code ( a unique key per device ). That way users can have a choice, without relying on bugs.

--
---- Booth was a patriot ----

Re:Flaw? by strayant · 2010-08-04 12:07 · Score: 2, Insightful

I'd say both, and wonder, is their code open to scrutiny? I'd love to see someone verify and certify that there's nothing malicious with their code. One can argue, however, that any other site could use this in a harmful manner. This is a *real* concern. So while the jailbreak is nice, what isn't so nice?
Re:Flaw? by maxume · 2010-08-04 12:16 · Score: 2, Insightful

The 'remote' part of the exploit sort of shits all over the 'feature' argument.

--
Nerd rage is the funniest rage.
Re:Flaw? by Anonymous Coward · 2010-08-04 12:19 · Score: 2, Insightful

The problem is, it doesn't just allow you to jailbreak your phone. It allows anyone who can get you to view a pdf in the browser to own your phone -- that makes it a flaw, most definitely.
Re:Flaw? by somenickname · 2010-08-04 12:33 · Score: 2, Funny

This is a feature in the same way the antenna problem is: "Well, at least I get a free bumper out of it!"
Re:Flaw? by strayant · 2010-08-04 12:35 · Score: 1

well, the jailbreakme.com site doesn't exactly let you know that *it* is showing you a PDF... so one could argue that it wouldn't take much to do the same in a destructive way. I'm thinking even of things like hacked sites with a little browser agent detection could seem innocent to most users... Anyone want a cheap botnet? So (1) when will this be patched, and (2) how many people will not patch.
Re:Flaw? by dakameleon · 2010-08-04 13:32 · Score: 1

Because of jailbreak apps like Installous, and MyWi, and My3G. The first lets you pirate App Store apps, violating terms and screwing Apple & the developers of the Apps. MyWi and My3G piss AT&T and the other carriers around the world off because they let you use a service provided in a way they didn't intend you to use.
I'd suspect even Google would make more effort to lock down Android if stuff like Installous was floating around there (is it? I have no idea).

--
Man who leaps off cliff jumps to conclusion.
Re:Flaw? by squidinkcalligraphy · 2010-08-04 14:19 · Score: 2, Insightful

Certain a feature, if by feature you mean a remotely exploitable root vulnerability. Yes, definitely a feature. For crackers.
For the rest of us it's a pretty critical flaw, namely one that can 0wn yr ph0ne by visiting a malicious website.

--
"I think it would be a good idea" Gandhi, on Western Civilisation
Re:Flaw? by Mr2001 · 2010-08-04 14:20 · Score: 2, Informative

I'd suspect even Google would make more effort to lock down Android if stuff like Installous was floating around there (is it? I have no idea).
You don't need anything like Installous on Android, because Android doesn't limit where you can install apps from. Once you check the "Allow installation of non-Market applications" option, you can just point the browser at a link to a .apk file.
Google is addressing paid-app piracy, but not by locking down the OS. Instead, they're letting apps check with Google's servers to verify that the app has been purchased by the person who's running it.

--
Visual IRC: Fast. Powerful. Free.
Re:Flaw? by pinkushun · 2010-08-04 23:19 · Score: 1

Flaw - exploiting, circumventing or bypassing security / hardware / software mechanisms via holes/flaws in the design
Feature - functionality that the device was intended to perform
Hack - adding functionality that the device was not made to perform
It's a hack, by breaking out of the sandbox and run applications / enable functionality that the device wasn't intended to run.
OT, I think your post should be modded insightful!
Re:Flaw? by BarryJacobsen · 2010-08-05 09:34 · Score: 1

I'd suspect even Google would make more effort to lock down Android if stuff like Installous was floating around there (is it? I have no idea).
You don't need anything like Installous on Android, because Android doesn't limit where you can install apps from. Once you check the "Allow installation of non-Market applications" option, you can just point the browser at a link to a .apk file.
Google is addressing paid-app piracy, but not by locking down the OS. Instead, they're letting apps check with Google's servers to verify that the app has been purchased by the person who's running it.
How is that addressing the problem? Are they not aware that crackers can remove such simple protections (for examples see every desktop application ever pirated).

--
Track your TV Shows with your iPhone - FREE
Re:Flaw? by Xyde · 2010-08-05 13:07 · Score: 1

Well clearly they are most concerned with the appearance of addressing the problem, not the problem itself. I mean this sounds like it could be defeated with an entry in /etc/hosts, nevermind bothering to crack each app. Android being completely open will have no problem running a local daemon saying yes to everything you throw at it, I'm quite sure. Encryption is scary and sounds too much like DRM for them to utilize in anything visible. (though bootloaders are apparently fair game?)
Either way digital locks, particularly on open platforms are ineffective other than keeping out the casual pirate. At one extreme (Apple) you have signed code running with it's various layers of authentication, sandboxing and encryption everywhere -- trivially circumvented if a jailbreak is available but otherwise cryptographically secure. ...And yet Google's approach seems to be aiming just one notch above asking politely not to steal apps which sounds good at first and seems easy enough...but ultimately developers, and thus everything, will suffer.
Why? It's easy to see how "Allow installation of non-Market applications" will become *the* preferred method of software installation due to it being the only constant among handsets; the Market Place is only on special Google devices and clearly Carriers will foist their own horrible interpretations of what they think an App Store should be, nobody will use them of course. Why bother when you can get the same thing for free, easier and more quickly? This will happen very quickly and when it does the Black Market for cracked apps will not only be "the logical choice"--it will be waiting, well established and more popular than Napster. I don't predict App Stores on Android to be fruitful given this landscape, even before taking into account the stench of fail permeating this Verizon App Store (or T-Mobile's App Café)
Obviously the situation is entirely different over on the iOS side of the pond where they seem to be caught in the most envious loop of increasing apps, eyeballs, and earnings. Ask literally anyone how to install on an iPhone...the only response is "the App Store". This didn't happen by accident.
Re:Flaw? by Mr2001 · 2010-08-05 16:45 · Score: 1

It doesn't completely prevent piracy; that's impossible without moving to a complete "trusted computing" dystopia.
What it does is raise the bar. It prevents the easy, casual kind of piracy where you copy the .apk off one device and onto another. Now you have to modify the code, which requires some level of skill and familiarity with the intimate details of Dalvik. It also breaks the original .apk signature, which changes the identity of the app, which has consequences for updating the app and sharing data between apps.

--
Visual IRC: Fast. Powerful. Free.
Re:Flaw? by Mr2001 · 2010-08-05 16:55 · Score: 1

I mean this sounds like it could be defeated with an entry in /etc/hosts, nevermind bothering to crack each app. Android being completely open will have no problem running a local daemon saying yes to everything you throw at it, I'm quite sure.
You can't edit /etc/hosts without rooting, and a local daemon won't be able to mimic the official licensing server if the protocol uses any sort of encryption (which I presume it does, because Google isn't stupid).

It's easy to see how "Allow installation of non-Market applications" will become *the* preferred method of software installation due to it being the only constant among handsets; the Market Place is only on special Google devices
This has not happened after almost two years of Android. Yes, there are devices without access to the Market. Those devices suck, and people who care about apps stay away from them.

and clearly Carriers will foist their own horrible interpretations of what they think an App Store should be, nobody will use them of course.
This has not happened either, as far as I know.

I don't predict App Stores on Android to be fruitful given this landscape,
Neither do I, because the Android Market already does what most people want from an app store. Its only major failing is that the payment system isn't yet operative in some countries.

even before taking into account the stench of fail permeating this Verizon App Store (or T-Mobile's App Café).
Not sure what you're talking about, and searching for "App Cafe" doesn't turn up any relevant hits. Verizon's "app store" for Android consists of a small section inside the regular Market app highlighting apps Verizon wants to promote (with a couple exclusives like an app to access your phone bill).

--
Visual IRC: Fast. Powerful. Free.

Re:Lol apple by mini+me · 2010-08-04 12:04 · Score: 2, Interesting

More secure does not equal completely secure.

Though you do bring up an interesting point. iOS is the biggest mobile operating system player right now, and even with that large market share, so far nobody has turned all of those iPhones into a botnet. If Windows had the same bug, we would have millions of maliciously compromised systems by now. What gives?

Re:Lol apple by pclminion · 2010-08-04 12:06 · Score: 3, Insightful

How do you know millions of phones aren't already compromised? They could just be sitting there quietly, waiting for the dust to settle a bit.

Do we need antivirus/antimalware on smart phones now? Welcome to the 21st century.

Re:Lol apple by Some.Net(Guy) · 2010-08-04 12:08 · Score: 4, Informative

iOS is the biggest mobile operating system player right now

Yep, it sure is. I mean, if you don't count Android

Re:Lol apple by tacarat · 2010-08-04 12:09 · Score: 5, Insightful

I remember my old brick of a cell phone back in the 90s. No published exploits yet. Sometimes simpler is better...

--
"Common sense will be the death of us all"

Re:Rather unlikely scenario required by Spy+Hunter · 2010-08-04 12:09 · Score: 5, Insightful

Um, the fact that jailbreakme.com works is proof that all those things are lining up perfectly. This is a real working exploit.

--
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}

Falsely implied security by mrsteveman1 · 2010-08-04 12:12 · Score: 5, Insightful

Back when Apple was trying to convince the public to accept this locked down app store model, one of the justifications was malware protection, specifically Jobs himself cited bluetooth worms. But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop. The only other attack vector that Apple stops with this model is the fake screensavers, but apparently they aren't so good at catching unwanted code in the app store either, i believe there was a personal information theft app a few months back and just a few weeks ago there was a covert tethering app.

So i have to ask, if a website can line up a few exploits like this and compromise the entire device to the level needed to actually break the chain of trust Apple has created, what is the point of all this shit? Just so Apple can control their OS environment like a dictator?

Re:Falsely implied security by Anonymous Coward · 2010-08-04 12:40 · Score: 0

Yep! Oh, was that a rhetorical question?
Re:Falsely implied security by BitZtream · 2010-08-04 19:32 · Score: 1

Ignoring the fact that you'll get an update for something like this probably relatively quickly since it gets around their security. Their own greed gives them an actual reason to stay secure, but they'll still have bugs.
You also accept that Apple may turn off an app, like the ones you listed as well, which may keep you safe.
Yes, buying an iOS device means you are paying for the privilege of having Apple control what can be on your device. Its like paying for Antivirus software, except there is a direct financial incentive for it to actually well. If it doesn't work well, Apple has lost the cash potential of having the only app store.
Or, you can get an open phone and do what ever you want with it and not let anyone else tell you what to do with it, even if they find problems you really probably do want them to fix. You can have a whole bunch of options. You can have the power and added complexity and lack of someone looking over your shoulder for a lower price because your vendor really doesn't have a major incentive to fix the problem and well, its your choice to fix it anyway.
Some people like the second option, some people like the first, it really kind of depends on your view point and what you want out of the device doesn't it?

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Re:Falsely implied security by juasko · 2010-08-05 00:34 · Score: 0

Yes there was a information theft of up to 400 iTunes accounts, that had been retrived by phishing.
Not so much Apples fault there. But Apple did up their security meassures after that.
Re:Falsely implied security by JAlexoi · 2010-08-05 01:06 · Score: 1

It's all about the money! No control = no money.

Re:Lol apple by pushing-robot · 2010-08-04 12:18 · Score: 3, Insightful

BlackBerry? Symbian?

--
How can I believe you when you tell me what I don't want to hear?

Re:Lol apple by mini+me · 2010-08-04 12:19 · Score: 4, Insightful

I am not sure why people keep quoting that article when it comes to OS share. Apple sells more iPod touches and iPads than iPhones. Android barely squeaks past just iPhone and only in the US market. I do expect that one day Android will dominate the market, but it has a long way to go.

Now I like a good apple bash by mjwx · 2010-08-04 12:21 · Score: 0

But...

Two unpatched flaws. What kind of reporting is this? If they were patched there wouldn't be a problem. Do we really need to keep sticking unnecessary and redundant words into a headline? If these flaws have been around for a while you could say "two flaws in IOS remain unpatched" but really, "two unpatched flaws". I'd hate to think what will happen when we find patched flaws.

--
Calling someone a "hater" only means you can not rationally rebut their argument.

Re:Now I like a good apple bash by Avuserow · 2010-08-04 12:25 · Score: 1

I imagine that if we find patched flaws, the headline should go something like "iPhone OS 4.0.1 update patches two flaws".
Re:Now I like a good apple bash by pclminion · 2010-08-04 12:56 · Score: 1

I'm not sure where you get the idea that patched flaws are harmless. In the industry these are commonly called "1-day" exploits. There is an entire community centered around the analysis of vendor updates and patches in order to figure out the exact nature of the security flaws which are being patched -- these flaws are then exploited in the wild on systems which aren't patched yet.
The whole world doesn't suddenly get fixed when a vendor releases an update. You may have thousands or millions of vulnerable systems for months, and some people just never patch at all. Getting the patch out is just the beginning of a long process of securing that particular vulnerability.
Re:Now I like a good apple bash by mjwx · 2010-08-04 16:39 · Score: 1

I'm not sure where you get the idea that patched flaws are harmless.

Where you got that idea from I do not know.

In context, do you expect "two patched flaws show up in foo". The headline insinuated the flaws are new (to "show up"), if they had been patched surely it is a logical conclusion to say that the flaws have previously been discovered. Even if a patch fails to fix a known exploit, is it not reasonable to say the flaws are still unpatched?

Saying the flaw was "unpatched" was done for effect and is entirely redundant.

You may have thousands or millions of vulnerable systems for months, and some people just never patch at all.
But this still does not make a "patched flaw", it makes it a flaw for which a patch exists.

--
Calling someone a "hater" only means you can not rationally rebut their argument.

Security-through-obscurity no more by by+(1706743) · 2010-08-04 12:21 · Score: 4, Insightful

Although various Windows versions may well be less secure than their contemporary Mac versions, Windows was always more vulnerable simply because there was a bigger incentive to attack it (i.e., more users).

Seems that Apple is now paying the price for popularity.

Re:Security-through-obscurity no more by DJCouchyCouch · 2010-08-04 12:32 · Score: 0

Yep, I'm sure they're really regretting that whole "success" and "profit" thing right now.

Patched in 4.1... by SuperKendall · 2010-08-04 12:23 · Score: 0

4.1 is probably out very soon now, and I believe it was reported the PDF bug at least is closed (and I assume the other). It's debatable if they should wait even a week for a fix, but as long as there are no malicious exploits in the wild it doesn't matter much to users... I'd bet Apple is sitting on an emergency patch to issue if they had to, but they'd rather just get 4.1 out.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Patched in 4.1... by jo42 · 2010-08-04 12:32 · Score: 1

iOS 4.1 beta 3 came out only a week after beta 2. Usually beta releases are two weeks apart. This indicates 4.1 should be out Real Soon Now. They also fixed the iPhone 4 proximity sensor issue in b3. It also looks like 4.1 works better on older iDevices (iPhone 3G, iPod touch 2nd gen) than 4.0 does (which was rushed out to meet the iPhone 4 shipping date not doubt).
Re:Patched in 4.1... by Albanach · 2010-08-04 12:34 · Score: 1

And this poses an conundrum for those that jailbreak with this flaw. Assuming it doesn't fix the flaw itself, you're still left exposed with a device vulnerable to malicious rooting.
Do you sit on your unpatched version of iOS, knowing that any malicious site can root your handheld device, or do you give up the freedoms you obtained and patch for safety?
Re:Patched in 4.1... by socsoc · 2010-08-04 12:55 · Score: 1

There'll likely be other ways of jailbreaking. PwnageTool supported jailbreak pretty soon after 4.0 dropped.
Wait for the dev team, patch your phone and carry on.
Re:Patched in 4.1... by Anubis350 · 2010-08-04 13:05 · Score: 2, Informative

Actually, at the moment, only jailbreakers can be *safe* from this vulnerability. Google "PDF Loading Warner". Ironic, isn't it?

--
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series

The funny thing is it's not even accurate by SuperKendall · 2010-08-04 12:25 · Score: 1, Interesting

Two unpatched flaws

The really funny thing is, that by adding those words they made the statement wrong - there are patches (PDF for sure), already in 4.1. 4.1 includes a PDF fix for a Mac OS X vulnerability reported on well before this week.

But 4.1 is not yet public (though it should be very soon now).

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:The funny thing is it's not even accurate by gutnor · 2010-08-04 22:46 · Score: 1

"there are patches (PDF for sure), already in 4.1" ... "But 4.1 is not yet public"
Well that's the definition of unpatched flaw. Unpatched in this context does not mean that nobody has a fix, it means that there is no patch available to the general public of the iPhone.
Moreover, 4.1 is still in beta. If it happens that the patch fails the beta, by for example causing side-effects with some user, Apple may not have the choice but to put it out of 4.1, or delay 4.1.

Re:Lol apple by icebraining · 2010-08-04 12:26 · Score: 1

Yes, it has, it can be tricked into using a rogue cell.

--
Dilbert RSS feed

The price not paid by SuperKendall · 2010-08-04 12:27 · Score: 2, Insightful

Seems that Apple is now paying the price for popularity.

What price? There are as yet no malicious attacks that make use of this attack vector. The only thing that does is using it as a utility that the user invokes on purpose, and even has to swipe to activate it!

Currently Apple users are not paying any price despite having a very popular mobile platform that every now and then has well-publicised vulnerabilities. Hmm.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:The price not paid by beej · 2010-08-04 12:52 · Score: 1, Funny

Currently Apple users are not paying any price despite having a very popular mobile platform that every now and then has well-publicised vulnerabilities. Hmm.
Apple products are only free if your money is not worth anything. ;-)
Re:The price not paid by Dragonslicer · 2010-08-04 13:26 · Score: 2, Insightful

There are as yet no malicious attacks that make use of this attack vector.
That we know about.
Re:The price not paid by Anonymous Coward · 2010-08-04 15:17 · Score: 0

There are as yet no malicious attacks that make use of this attack vector.
That we know about.
FUD?
Re:The price not paid by Anonymous Coward · 2010-08-04 17:23 · Score: 0

Have you looked at what this does to your iphone in it's entirety? It seems to me that promising to jailbreak an iphone would be a good way to get lots of people to allow you to root their phone and install whatever you wanted on it. Do you think that evil software tells you it's evil when it's trying to get you to install it?
Re:The price not paid by exomondo · 2010-08-04 18:46 · Score: 1

What price?
Currently Apple users are not paying any price despite having a very popular mobile platform that every now and then has well-publicised vulnerabilities. Hmm.
You misread (odd since you quoted the text as well). He said 'Apple', not 'Apple users', and it is very well known that Apple do not like jailbreaking.
Re:The price not paid by MikePikeFL · 2010-08-04 23:33 · Score: 1

Reality check. To quote the Italian Job:
"If there's one thing I know, it's never to mess with mother nature, mother in-laws and, mother freaking Ukrainians."

--
"Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway" -Andrew Tanenbaum
Re:The price not paid by JAlexoi · 2010-08-05 01:10 · Score: 1

Yeah... We all know that no-one opens that email file attachment titled "Nude pictures of (insert your favorite hot and young famous person).txt.exe".

Re:Lol apple by h4rr4r · 2010-08-04 12:30 · Score: 5, Informative

iOS is not the biggerst mobile operating system in any way shape or form. RIM has far more devices in North America and Nokia rules the rest of the world.

He said operating systems, not devices by SuperKendall · 2010-08-04 12:33 · Score: 3, Interesting

iOS is the biggest mobile operating system player right now
Yep, it sure is. I mean, if you don't count Android

Count Android all you like, if you count every Android device sold to date it would not equal the number of iPhone and iPod Touch units sold.

The Touch (and iPad) all run the same mobile iOS the phones do.

Note that link was from back in 2009...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:He said operating systems, not devices by somenickname · 2010-08-04 12:45 · Score: 3, Informative

Count Android all you like, if you count every Android device sold to date it would not equal the number of iPhone and iPod Touch units sold.
The Touch (and iPad) all run the same mobile iOS the phones do.
Note that link was from back in 2009...
Android and iOS combined don't even come close to Symbian.
Re:He said operating systems, not devices by Anonymous Coward · 2010-08-04 15:58 · Score: 0

But if you count Ipads, then you have to count Windows Laptops too. In that case, iOS is not anywhere near the largest mobile OS...
Re:He said operating systems, not devices by Anonymous Coward · 2010-08-04 20:32 · Score: 0

If you are including those devices it would be wrong to call it a mobile operating system since a large percentage of use is on non-mobile devices.
Re:He said operating systems, not devices by juasko · 2010-08-05 00:19 · Score: 0

not at all, windows laptops aint close to what a ipad is. Yeah yeah ms fanboys i know they are more than that but still not close.

Re:Lol apple by MichaelSmith · 2010-08-04 12:39 · Score: 2, Informative

Somebody could rewrire the phone lines to my house too, but I don't count that as a vulnerability in the simple electronics in my land line phones.

--
http://michaelsmith.id.au

didn't you just argue FOR the app store? by SuperKendall · 2010-08-04 12:39 · Score: 5, Insightful

But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop

You just made the argument for why users should only use applications vetted from a store instead of the general web.

Happily the iPhone actually doesn't impose any restrictions on web use.

I just thought it was odd you were trying to argue against the security benefits of a closed app store using a bug in a totally open browser model.

The point of the app store would then be that the more applications users used, the less exposed they would be to web bugs. We know attackers inject exploits into popular websites all the time.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:didn't you just argue FOR the app store? by h4rr4r · 2010-08-04 12:55 · Score: 1

Considering that tethering and malicious apps have made it through the store is not a safety guarantee.
Re:didn't you just argue FOR the app store? by Mr2001 · 2010-08-04 14:26 · Score: 1

I just thought it was odd you were trying to argue against the security benefits of a closed app store using a bug in a totally open browser model.
On an open platform, you'd be able to use a third-party browser when flaws like this are discovered in the built-in browser.
On the iPhone, however, you're stuck with Apple's browser core (no pun intended). Third parties are allowed to post their own WebKit skins in the app store, but those are likely to feature all the same bugs.

--
Visual IRC: Fast. Powerful. Free.
Re:didn't you just argue FOR the app store? by Anonymous Coward · 2010-08-04 15:09 · Score: 0

But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop
You just made the argument for why users should only use applications vetted from a store instead of the general web.
Happily the iPhone actually doesn't impose any restrictions on web use.
I just thought it was odd you were trying to argue against the security benefits of a closed app store using a bug in a totally open browser model.
The point of the app store would then be that the more applications users used, the less exposed they would be to web bugs. We know attackers inject exploits into popular websites all the time.
wow, you want to get rid of the browser as well?
steve? is that you?
Re:didn't you just argue FOR the app store? by SuperKendall · 2010-08-04 16:08 · Score: 1

On an open platform, you'd be able to use a third-party browser when flaws like this are discovered in the built-in browser.
You could always use Opera MINI on the iPhone.
However it's a poor argument in this case as any third party browser you used would still hand the PDF off to the vulnerable system library to parse and display...

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:didn't you just argue FOR the app store? by Mr2001 · 2010-08-04 16:20 · Score: 1

You could always use Opera MINI on the iPhone.
Opera Mini's server-side rendering and minimal interactivity make it unsuitable to replace a native browser for general use, as I'm sure you're aware.

However it's a poor argument in this case as any third party browser you used would still hand the PDF off to the vulnerable system library to parse and display...
... unless it didn't. Third-party browsers could use third-party PDF rendering libraries.

--
Visual IRC: Fast. Powerful. Free.
Re:didn't you just argue FOR the app store? by shmlco · 2010-08-04 18:30 · Score: 1

"... unless it didn't. Third-party browsers could [sic] use third-party PDF rendering libraries."
Unless they didn't.

--
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Re:didn't you just argue FOR the app store? by Mr2001 · 2010-08-05 16:39 · Score: 1

Sure. Point is, iPhone developers are forbidden from writing and distributing browsers that use non-Apple rendering technology. When a bug like this is found, all users can do is hope that Apple fixes it quickly.
On open platforms, developers have no such restriction. If a bug like this hit Android, you'd probably see third-party browsers on the market soon after that didn't have the same bug -- in fact, there's already a version of Firefox for Android, and there are multiple PDF viewers.

--
Visual IRC: Fast. Powerful. Free.

Patch may not affect jailbreak. by SuperKendall · 2010-08-04 12:42 · Score: 2, Informative

Often the patches will not undo already jailbroken systems. So there's that possibility.

But if someone finds they like the jailbreaking, they can just use whatever mechanism will come along to jailbreak 4.1. Usually it's not as dramatic as a browser bug and it involves running an application on your main computer to alter your attached device, but it's easy enough for anyone interested to keep going.

Another option is that jailbreakers can simply replace the 4.0 PDF library with the 4.1 version (if compatible).

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Pure Epic by jellomizer · 2010-08-04 12:43 · Score: 1

So when android takes over iPhone market. Can we be as smug about volerabilies that come up.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.

You missed his point... by Anonymous Coward · 2010-08-04 12:45 · Score: 1, Insightful

Apple pretends controlling the app store is enough to prevent malicious code, while this exploit shows that you have to also consider malicious data which injects code via existing "vetted" apps with data handling bugs (since proving app safety during vetting is far from a solved problem). The iPhone continues to become a general purpose computer as long as vetted apps do more and more complex things with data that is obtained from external sources.

I await the audible or visual hack that gets a malicious pattern in through the microphone or camera, and then triggers bugs in the apps that try to do clever things with sound, image, or video!

Re:You missed his point... by SuperKendall · 2010-08-04 13:08 · Score: 2, Interesting

while this exploit shows that you have to also consider malicious data which injects code via existing "vetted" apps
That implies if an app store app had a security issue it would be an issue beyond that application. That is generally not the case since the apps are all well sandboxed and cannot affect the system. Messing with an approved app via some flaw would usually get you nothing but a corrupted app. You can't even modify the app binary from the app itself...
I'm not even sure breaking an app would be able to get you to the same system privilege exploit break Safari is able to reach, since Safari is a system app that possibly has slightly more leeway in access to the system.
I await the audible or visual hack that gets a malicious pattern in through the microphone or camera, and then triggers bugs in the apps that try to do clever things with sound, image, or video!
I've read about that concept before and it's a cool thought experiment, but in reality I don;t think that's a practical line of attack since the full range of possible data from those forms of input is so well understood by things processing it and so limited in scope. Anything going in through the camera is going to have pixels with RGB values ranging from 0 to 255 in an array of pixels at a specific size, there's just no input you could give that would break anything. Basically the A/D converters are acting as a kind of firewall for your input, preventing data outside the extremes to be processed
MAYBE you could devise some kind of sequence that would break the autofocus system when presented with a specific set of targets, but even then could you inject code once you had broken AF? It seems well beyond practical to be able to do so even just for research purposes.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:You missed his point... by labradore · 2010-08-04 14:27 · Score: 2, Interesting

How about when the camera starts to do face recognition (like most point-and-shoot digicams do today) and also starts to recognize bar codes and the square patterns like the ones that the Android app store uses? How about voice recognition and commands built into the machine? The smarter you make these things, the more complex they become. At a certain level of complexity, you lose assurance that the security works properly. It takes exponentially more time to vet the system as the complexity increases.
Re:You missed his point... by mrsteveman1 · 2010-08-04 14:36 · Score: 2, Insightful

What makes you think the apps are safely sandboxed if the browser isn't? If the browser isn't sandboxed at all, why the fuck not? If it is and this still happened, then the sandbox isn't all that effective, especially if you can get someone to run code locally and call native APIs.
Re:You missed his point... by Anonymous Coward · 2010-08-05 01:44 · Score: 0

the system app is iOS have different privlages than user space apps. The evedenc of this is that even before multitasking was alowed for user space apps, the built in music player could run in the background. Similarly the built in mail app, phone app, and mms app used push notafications before user space apps could.
I don't claim to know the extent of the difference between the sandoxing of system apps and user space apps but there clearly is some variation in their permissions.
The probable reason for differences in permission levels is security vs feature richness. there are some features that are inherently dangerous (multi-tasking, copy/past, file system access, etc.) For security reasons Apple restricts many of those from working in third party apps, while allowing them to work in their own internally developed apps for feature richness (trusting that people on their payrole have less inscentive to abuse the power). This allows the system apps to provide services that users want but carry higher risk, while still preventing unknown third parties from having access to those same potentially dangerous features.
In short, it's probably a good idea to look at how/if this explouit will work in the non-safari browsers for iOS. As that will highlight differences in access between system apps and user level apps that perform the same function.

Apple bans PDFs... by trboyden · 2010-08-04 12:56 · Score: 3, Funny

This just in... Apple bans PDFs on Apple devices... Steve Jobs was quoted as saying "PDFs are yesterday's portable documents - nobody uses them anymore. So we've decided to stop supporting PDFs on Apple devices. In addition, we've decided to not allow any media on our devices that you can't obtain through the iTunes Store. This way nobody can make our devices unstable and insecure like kernel vulnerabilities and overheating chipsets - oh wait..."

Re:Apple bans PDFs... by Anonymous Coward · 2010-08-05 00:52 · Score: 0

Finally! thank goodness!
Re:Apple bans PDFs... by netsharc · 2010-08-05 03:26 · Score: 1

you forgot to add "if you don't like it, you can use HTML5"!

--
What time is it/will be over there? Check with my iPhone app!

Products based on exploits by Calibax · 2010-08-04 12:56 · Score: 5, Interesting

I don't know if this scenario is valid, as I don't have an iPhone that can run iOS4. But here goes anyway.

So someone takes their iPhone and jailbreaks it. The two bugs that allowed this are still present in the jailbroken phones so the phones can also be pwned by anyone who comes up with a different exploit that uses these bugs. Clearly the phones can't be updated to 4.1 (as they are jailbroken) so unless someone produces patches independently of Apple they will remain in these jailbroken phones until they are discarded or reset to the official post 4.1 iOS. I wonder how many non-geeks who are persuaded to jailbreak their phones will realize this.

Here's the root of the issue. When someone decides to use an exploitable bug for their own purposes they are not doing any favors for themselves or their users. Exploitable bugs should be reported so they can be fixed, not used to develop your own products - however popular the products might be in some circles. That might well be an unpopular view in this forum, but there it is.

Re:Products based on exploits by number17 · 2010-08-04 13:18 · Score: 1

1) The community has a fix for the exploit [ http://obamapacman.com/2010/08/cydia-pdf-loading-warner-helps-prevent-ios-security-hole-exploit/ ] 2) As you mentioned, when 4.1 or 4.0.1 is released just upgrade and jailbreak
Re:Products based on exploits by jd2112 · 2010-08-04 13:34 · Score: 1

Exploitable bugs should be reported so they can be fixed, not used to develop your own products - however popular the products might be in some circles. That might well be an unpopular view in this forum, but there it is.

Back in the days when Windows 3.x and 95 roamed the Earth that was the most common way to compete with Microsoft and their undocumented APIs.

--
Any insufficiently advanced magic is indistinguishable from technology.
Re:Products based on exploits by Anonymous Coward · 2010-08-04 15:46 · Score: 0

"Exploitable bugs should be reported so they can be fixed, not used to develop your own products"
Yea, right. The reality is that most discoveries of exploitable bugs these days get parlayed into a career with a three letter agency, or sold to the highest bidder (who is also usually a three letter agency, or a mafia, or both). The days of posting that 0day to BugTraq are well and truly behind us.
Re:Products based on exploits by fightinfilipino · 2010-08-04 17:01 · Score: 1

that isn't so much of a "fix" as it is a warning screen before a user loads any PDF on his or her iOS device. considering the "typical user", that person will most likely impatiently click to ignore the warning anyway whenever it pops up, assuming that the user bother to install the warning app at all.
Re:Products based on exploits by BitZtream · 2010-08-04 19:38 · Score: 1

Actually, I don't know about the current jailbreak as I haven't bothered to do it since the very first versions but ...
The installers that ran afterwords usually patched the exploit as well.
Also, jailbroken phones can sometimes be upgraded and as I recall that was usually the first way they would get new iOS broken.
Like I said, its been a while ... and who knows what ACTUALLY gets installed as I doubt anyone bothers to analyze what they get.

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Re:Products based on exploits by strack · 2010-08-04 19:47 · Score: 1

gee. if only one could create a jailbroken app that seals the hole after youve jailbroken your phone. problem solved!
Re:Products based on exploits by Anonymous Coward · 2010-08-05 02:12 · Score: 0

You can use your freshly jailbroken iPhone and install a fix that will prevent automatic loading of a PDF
http://www.spiritjb.org/2010/08/important-how-to-fix-serious-security.html
Re:Products based on exploits by netsharc · 2010-08-05 03:29 · Score: 1

... and why would a typical ignorant user bother to jailbreak? If they got the phone jailbroken by their techie friend, it can be hoped that that techie friend also installed this loader warning...
Actually, it'd be great if jailbreakme.com either installs the warn mechanism straight away, or offers it as an opt-out default on their website.

--
What time is it/will be over there? Check with my iPhone app!

True but pointless by SuperKendall · 2010-08-04 12:57 · Score: 2

Android and iOS combined don't even come close to Symbian.

Since it's not a modern mobile OS on just about all those phones the point is irrelevant. Like saying there are not as many Android devices as grains of sand on all the beaches in the world.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:True but pointless by somenickname · 2010-08-04 13:22 · Score: 1

Android and iOS combined don't even come close to Symbian.
Since it's not a modern mobile OS on just about all those phones the point is irrelevant. Like saying there are not as many Android devices as grains of sand on all the beaches in the world.
To use a car analogy, it's more like saying that the number of people that own a Lexus or BMW is dwarfed by the number of people that own a Honda. While the Honda owners may be more concerned with reliably getting from point A to point B, and the Lexus/BMW owners may be more concerned with comfort, status or performance, in the end, they are all cars and perform the same basic service.
Re:True but pointless by juasko · 2010-08-05 00:13 · Score: 0

How did u get Lexus and BMW in the same line as status?
Well neither gets any respect from me:p I go WAG all the way, preferably Audi, but Porche isn't bad either nor Buggatti or Lamborghini. All of them available in 4wd configurations.
Mercedes nah get down to the toyota/lexus/bmw league.
That said. Yes Symbian is still greatest but if not Nokia gets their thumb out of their @$$ then it will not last long. I myself will get a iPhone4 now, Been Nokia user up till now, get them from work no charge. But now i will pay up to get an iPhone instead.
That tells you how bad Symbian is. The only operating system i can compare Symbian with is MS-DOS. Yes it has some GUI so ok it's like Windows 3.0 based on MS-DOS.
And i'm fedd up with it been a Mac user since late 80's And I'm stunned that in 2010 Nokia has not got any further than this.
Re:True but pointless by sFurbo · 2010-08-05 01:41 · Score: 1

iOS is the biggest mobile operating system player right now

Android and iOS combined don't even come close to Symbian.

Since it's not a modern mobile OS on just about all those phones the point is irrelevant
Say, that is some nice goal posts you have there. And they move if you need them to. Nifty.

Security is a percentage game by SuperKendall · 2010-08-04 13:00 · Score: 1

Considering that tethering and malicious apps have made it through the store is not a safety guarantee.

No-one ever said it was. Security can never be absolute. That's why security is a matter of percentages, and layers... multiple layers work better to protect users. Note this flaw required two exploits to come into alignment, a pretty rare event.

Yes app store reviews can miss things. But App Store apps can be pulled from all devices suddenly with no user involvement (as Google recently had to do). A web site cannot be easily taken down and patching users takes time and willingness on the part of the user to patch.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Security is a percentage game by Anonymous Coward · 2010-08-04 15:45 · Score: 0

Yes app store reviews can miss things. But App Store apps can be pulled from all devices suddenly with no user involvement (as Google recently had to do).
since when has this become a good thing?

A web site cannot be easily taken down and patching users takes time and willingness on the part of the user to patch.
some of us 'users' prefer this, even the ones who otherwise don't know what they're doing. Simply taking the choice away is not a solution. I don't want others, who most likely have conflicting interests with me, reaching into my devices without my knowledge and permission. Speaking of malware, the vendors themselves are often the biggest threats.
Re:Security is a percentage game by SuperKendall · 2010-08-04 16:22 · Score: 1

since when has this become a good thing?
For the average person this is a very good thing.
Heck, for me I'd appreciate someone using this to pull out a truly evil app. But to date Apple has not used this feature, even for things like tethering apps that you could briefly buy and they removed from the store. As long as the feature is truly used only to block malicious apps it's a good thing for the user.
To my mind it's no different than when I used to have a Linux installation that I configured to automatically download a security update package every night - potentially that could have uninstalled any system app that went rogue. And that would have been fine with me.
some of us 'users' prefer this, even the ones who otherwise don't know what they're doing.
Not really. The ones who "don't know what they are doing" don't really prefer this. They don't know one way or the other.
Simply taking the choice away is not a solution.
Who is taking choice away? That's not what is going on here. Targeted killing of apps with known viruses or exploits that are actively causing harm is not "removing a choice" except by the most warped definition. No civilized society makes legal the "choice" to commit suicide which is the equivalent of "choosing" to continue to run an infected application that is sending your bank data to China.
I don't want others, who most likely have conflicting interests with me, reaching into my devices without my knowledge and permission.
Generally speaking, I don't either. But this aspect is used as I noted only in extraordinary cases.
Speaking of malware, the vendors themselves are often the biggest threats.
Having seen some of what real malware does and been tangentially involved with identity theft, I have to totally disagree with that statement and think it's very naive as to real world malware issues.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Security is a percentage game by Anonymous Coward · 2010-08-04 17:26 · Score: 1, Interesting

The issues here are choice and authorization. Who owns the device, you or apple? If such a 'feature' does not have a choice.. an option to opt out of the policing, then it is a malware back door no different than the one your chinese hacker put in. in fact it's worse because it'll never be found as such..in fact, it'll be marketed as a 'feature'.

Generally speaking, I don't either. But this aspect is used as I noted only in extraordinary cases.
seriously? and you're calling me naive? I'll leave you to imagine various political analogies about governments with runaway policing powers.

To my mind it's no different than when I used to have a Linux installation that I configured to automatically download a security update package every night - potentially that could have uninstalled any system app that went rogue. And that would have been fine with me.
Generally (no, not always), the linux distro guys are users themselves. their financial interests do not conflict with your user rights. If they implemented such a feature, they would tell you, and they would give you an option to turn it off. So, no, linux distros are not the same thing as the stuff coming from apple, microsoft et al. Generally, free software is user centric whereas commercial software is profit centric. As long as profits line up with user-interest everything is fine. When it doesn't...
Re:Security is a percentage game by Anonymous Coward · 2010-08-05 00:27 · Score: 0

No civilized society makes legal the "choice" to commit suicide which is the equivalent of "choosing" to continue to run an infected application that is sending your bank data to China.
The Apple fandom phenomenon starts to make a little more sense when you discover some of them actually think like this. Apparently your definition of civilized means that the Authorities think they know what's best for a person in every case - this is most certainly not my definition, in fact I think that is the definition of an immature society.
The choice to do what I want with my life, including the choice to throw it away, is (ironically) a choice that I would fight and die to protect. The choice to do what I want with my phone doesn't lead me to the same extreme, but it does guarantee I will never purchase any product that doesn't offer it.

Re:Lol apple by somenickname · 2010-08-04 13:02 · Score: 4, Informative

That page doesn't say that at all. You've quoted numbers (and even incorrectly inflated the iOS numbers by instead quote the linux desktop numbers) about browser strings. If you scroll down, you will see a VERY different picture of the marketplace for mobile devices (including iPhone, iPad and iPod):

From Gartner:

Symbian: 44.3%
Blackberry: 19.4%
iOS: 15.4%
Windows Mobile: 6.8%
Android: 9.6%
Linux: 3.7%
Other: 0.7%

Even allowing for a hefty margin of error, compared to Symbian, iOS is a very distant third.

Re:Pure Epic by GNUALMAFUERTE · 2010-08-04 13:04 · Score: 1

Command Syntax of the ultimate computer languge: DoWhatIWant() DoItFaster(Function), eg. DoItFaster(DoWhatIWant()

It still won't work because you are missing a closing parenthesis at the end.

--
WTF am I doing replying to an AC at 5 A.M on a Friday night?

Re:Lol apple by Draek · 2010-08-04 13:04 · Score: 2, Interesting

Because iPhones are lacking in both performance and net access compared to even a low-end Windows machine, so they're mostly useless for botnets.

And you really need a reality check if you think iOS is anywhere *near* the biggest mobile OS.

--
No problem is insoluble in all conceivable circumstances.

They can be patched though by SuperKendall · 2010-08-04 13:16 · Score: 1

Clearly the phones can't be updated to 4.1

Why not? Jailbreaking doesn't prevent all the normal system stuff from operating as it should, you still sync with iTunes and it would still check for updates. The only downside is that it MAY break the jailbreaking. But even then something like MiFi might well still work.

so unless someone produces patches independently of Apple

Jailbreakers may well do that, they sometimes make modification to system apps as part of the jailbreak.

I've always said that when you jailbreak, at taht point you take a divergent path from Apple's update stream, as you laid out. However in practice, that has not really been true - jailbreak updates almost always follow in a week or two from the official release of a new version of the OS, so you simply update and re-jailbreak - to date Jailbreakers haven't really had to stay diverged from Apple's updates.

After all, the guys who work on jailbreaking get the same pre-release OS all the other developers get, so they have time to formulate new entry points.

Exploitable bugs should be reported so they can be fixed, not used to develop your own products

I agree bugs should be reported and that is the more responsible path, but I don't see anything wrong with making use of the exploits that exist for peaceful purposes.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:They can be patched though by Anonymous Coward · 2010-08-04 13:25 · Score: 0

I do have a jailbroken 3g phone. I did try to update and I couldn't. iTunes would let me reset the phone to factory defaults but it wouldn't let me update it.
Make use of exploits for peaceable purposes? Come on, get back to planet Earth. If you have found the exploits, the bad guys have found them also.

"Real PC user experience", as requested by Anonymous Coward · 2010-08-04 13:22 · Score: 0, Troll

Everyone here clearly doesn't appreciate the immense effort that Apple has expended to bring people the "real PC user experience" on their phones, just like all the butthurt Android fantards keep whining about. Now you can enjoy "real PC features" like losing 10% of battery life to ineffective but performance-sapping virus scanners!

Re:Lol apple by mini+me · 2010-08-04 13:28 · Score: 1

And you really need a reality check if you think iOS is anywhere *near* the biggest mobile OS.

Who is a bigger player? It is true that Symbian outsells the iPhone more than two to one, but the iPhone is outsold by both the iPod touch and iPad. Some reports claim iOS has twice as many installs compared to the nearest competition.

Good point, but then it doesn't matter by SuperKendall · 2010-08-04 13:35 · Score: 2, Insightful

That we know about.

True, but if we have not heard of any then the infection rate is pretty low - after all you have to get the exploit up on a site and then get the person to visit that with the iPhone browser.

I would argue that most browser use on mobile devices is going to well-known sites (like your favorite news site, bank, etc) so the chances of a rogue website affecting random users seems pretty low.

Given there's working example code showing how to use the exploit you would actually expect something harmful pretty soon, but I've seen no signs of anything. Perhaps anyone who would target it figures since a patch will be out in a few days there's not enough potential gain.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Good point, but then it doesn't matter by rvw · 2010-08-04 19:49 · Score: 1

That we know about.
True, but if we have not heard of any then the infection rate is pretty low - after all you have to get the exploit up on a site and then get the person to visit that with the iPhone browser.
If you get an "innocent" app in the appstore, it's not that difficult. Using the browser engine in an app is not unusual, and that app could visit an innocent url in the background, without the user seeing anything. When the app is accepted in the appstore, the url can be redirected to an attack site, which still could work in the background - et voila! When the device is rooted by that website, it could as well execute some other code and install a rootkit.

Re:Lol apple by ScotterMonk · 2010-08-04 13:38 · Score: 1

This article, admittedly using different measurement, says Android is now #1: http://www.boygeniusreport.com/2010/08/04/npd-group-android-top-selling-smartphone-platform-in-u-s-for-q2/ I think it is funny how we can focus on a certain metric to get whatever results we want :)

Re:Lol apple by mini+me · 2010-08-04 13:38 · Score: 3, Informative

The Gatner article you are referring to clearly states that those marketshare numbers are for cell phones. The majority of iOS devices are not cell phones at all.

Other thing to try... by SuperKendall · 2010-08-04 13:41 · Score: 1

I do have a jailbroken 3g phone. I did try to update and I couldn't. iTunes would let me reset the phone to factory defaults but it wouldn't let me update it.

Did you try resetting the phone, installing the update, jailbreaking again, then restoring from a backup? Usually that migrates in applications and data files. Sort of the same as an update but more roundabout.

Make use of exploits for peaceable purposes? Come on, get back to planet Earth. If you have found the exploits, the bad guys have found them also.

Of course, but just because there are bad uses of the exploits why not write some good ones while the exploits exist? I'm not arguing that Apple should not patch the system, I'm just saying I don't see anything wrong with turning some aspect of a bad situation into a good one.

The only downside is that publishing a positive exploit shows everyone else how to use the same exploit. But then as you say, the bad guys already know about it, probably well ahead of the person writing a positive use for an exploit.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Car Analogy Back from the Shop by SuperKendall · 2010-08-04 13:45 · Score: 1

To use a car analogy, it's more like saying that the number of people that own a Lexus or BMW is dwarfed by the number of people that own a bicycle.

Fixed it for you, and far closer to the case at hand (at least with regards to Symbian).

Your analogy was actually not too bad if we had been talking about Blackberry, except you would have had to add in the fact about roads going forward only being made for Lexux/BMW and Hondas could not use them. How long after you can't use new roads would you be forced to buy some other car, no matter how well it ran?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Car Analogy Back from the Shop by Anonymous Coward · 2010-08-04 21:43 · Score: 0

Why would the roads stop working for the Hondas? I'll still be able to make calls with my cell from 2000 next year...

Re:Lol apple by Anonymous Coward · 2010-08-04 13:48 · Score: 2, Informative

Those stats are just 1Q2010 sales, which may not be indicative of the total market share of phones currently in use. It's still a much better statistic than the one based on User-Agent strings though. With phones being replaced on average every 2 years though, one quarter worth of sales is an okay indicator, although Blackberry hasn't released too many phones recently.

The ComScore list appears to be better although they don't really say what their methodology is. They don't include Nokia in their list of smartphones and only have stats on US subscribers though...

(May 2010)
RIM 41.7%
Apple 24.4%
Microsoft 13.2%
Google 13.0%
Palm 4.8%

Re:Lol apple by Anonymous Coward · 2010-08-04 14:23 · Score: 0

Get your facts straight - Symbian runs on many more handsets than iphone. Its not even a contest, not even close.

Re:Lol apple by dotgain · 2010-08-04 14:41 · Score: 2

I realise it's academic - but why not?

Re:Lol apple by PopeRatzo · 2010-08-04 14:42 · Score: 2, Insightful

More secure does not equal completely secure.

Another way to put it might be: "If it's not completely secure, it's not secure at all".

--
You are welcome on my lawn.

Fix is already done, will ship any moment by gig · 2010-08-04 14:57 · Score: 2, Interesting

Apple announced earlier today that they already have a fix and it will roll out soon. It takes about 2 weeks to update half the platform, and another month to get most of the rest.

Re:Lol apple by Anonymous Coward · 2010-08-04 15:04 · Score: 0

If you don't consider that a vulnerability, you know nothing about security.

Re:Lol apple by MichaelSmith · 2010-08-04 15:27 · Score: 1

Of course its a vulnerability, just not with the phone. The vulnerability is in the infrastructure.

--
http://michaelsmith.id.au

Re:Lol apple by exomondo · 2010-08-04 15:40 · Score: 3, Informative

iOS is the biggest mobile operating system player right now

bullshit!

Re:Lol apple by icebraining · 2010-08-04 15:41 · Score: 2, Insightful

Of course it's with your phone:

Although the GSM specifications say that a phone should pop up a warning when it connects to a station that does not have encryption, SIM cards disable that setting so that alerts are not displayed. Even though the GSM spec requires it, this is a deliberate choice of the cell phone makers, Paget said."

Your phone should warn you and it doesn't. It's a vulnerability in your phone.

--
Dilbert RSS feed

Just Apple Racism! by Anonymous Coward · 2010-08-04 15:46 · Score: 0

It's only racism!

Why bother?

Browser is sandboxed by SuperKendall · 2010-08-04 16:05 · Score: 2, Insightful

What makes you think the apps are safely sandboxed if the browser isn't?

For one thing, I'm an iPhone developer so I know the exact constraints of the application sandbox.

But also - the browser is sandboxed. Read details of the attack, it breaks the browser but then ALSO uses a second attack to escape the browser sandbox. The question is if the same thing is possible for any application, or if the sandbox exit is unique to Safari.

But having two exploits in alignment is a rare thing. It's rare enough that exploitable bugs in both systems will be hard to come by, and if malware writers are not exploiting the current bug in Safari why would they do so with the much smaller attack space of any one application?

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Browser is sandboxed by LynnwoodRooster · 2010-08-04 17:02 · Score: 1

It's rare enough that exploitable bugs in both systems will be hard to come by, and if malware writers are not exploiting the current bug in Safari why would they do so with the much smaller attack space of any one application?
That's a mighty big "if" in there... There's no way to know, since root access also means you can completely cover your tracks, leaving no trace that you were even there.

--
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Re:Browser is sandboxed by netsharc · 2010-08-05 03:19 · Score: 1

Presumably, one could create an app store app that has a UIWebView and some PDF data with corrupted fonts, and make that a jailbreak tool, but that would be just doing it the hard way...
Oh, the advisory says a corrupted PDF is just one of the exploits, I read somewhere else that the font-parsing mechanism was put in the kernel, and a flaw there allowed a kernel-level exploit, so I guess that's wrong then.

--
What time is it/will be over there? Check with my iPhone app!
Re:Browser is sandboxed by rthille · 2010-08-05 07:32 · Score: 1

My interest is in the secondary exploit. Is it a kernel thing, or is there some binary that's setuid and doesn't validate it's args properly, or just something which Apple left in there when they shouldn't have to make it easier to develop...

--
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/

How will Apple correct this? by chrism238 · 2010-08-04 16:08 · Score: 5, Funny

Will Apple just place the patch in a PDF file on their website, for us all to download and auto-install?

Don't look at me. by SuperKendall · 2010-08-04 16:12 · Score: 1

wow, you want to get rid of the browser as well?

You mistook me for the parent; I was noting how he was forming the argument than users should only use app store apps. Me, I don't think the risk of possibly infected web pages warrants closing off the web to any device. I'm all about open standards.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Closed and open data streams by SuperKendall · 2010-08-04 16:38 · Score: 1

How about when the camera starts to do face recognition

That I do not think can do anything, because it's a closed system. You collect points about a face and then look them up in a database of known faces. There's really not any way to inject information in there beyond what the system is expecting.

How about voice recognition and commands built into the machine?

Same thing, because the processing of the input attempts to match into a list of known words. Speaking gibberish can do nothing except simply not form a match.

Now both things could be used as triggers for latent code, like an easter egg - say you used face recognition on morgan freeman and got some quote of his. But it would have to be pre-embedded by a developer.

also starts to recognize bar codes and the square patterns

Well that kind of could work, but only by triggering bugs in other systems because those apps just pass through whatever data they read off the QR code or barcode. There's just a limited possibly set of characters that can be encoded so the code can easily handle all input cases. What would work is, for example, embedding a URL to an infected PDF in a QR Code and placing it somewhere obvious in a bar. You wouldn't get many hits but a few people might trigger it, and if you set said QR codes all over... but the user would have to initiate the scan using an application that was built to forward the data.

The smarter you make these things, the more complex they become. At a certain level of complexity, you lose assurance that the security works properly.

You never have any assurance that security works properly, which is why security systems are developed in layers. Adding more complexity does not necessarily increase security risk as long as the complex systems are compartmentalized from each other. Making really awesome face recognition and great voice recognition wouldn't have any impact on overall security since there are no relations between the two, and all they equate to is fancier lookups into internal databases.

Also, most of those systems have to be triggered by the user - it's the passive, always on systems you really need to be concerned about in terms of security risk. The systems you have to activate just sit there inert regardless of complexity or intelligence.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

WTF by pootypeople · 2010-08-04 16:58 · Score: 2, Insightful

Everyone does realize that the OS of their smartphone has no relation to dick size, right?

What the hell are folks arguing about, anyways? I would figure it's pretty awesome we live in an age where we can decide from multiple choices what advanced operating system will run our phone. That actually gets toward shit I wouldn't have expected growing up.

But I guess folks have been getting pissed about other people's choice of OS for years. I really wish I understood why people get so pissed about that sort of thing. Operating systems are tools, not cults.

Re:WTF by Anonymous Coward · 2010-08-04 18:24 · Score: 0

Everyone does realize that the OS of their smartphone has no relation to dick size, right?
I bought a phone with Android 1.6 and at that time my dick was 16 inch long. Then I upgraded it to Android 2.1 and my dick grew to 21 inch. Now I'm going to upgrade to Android 2.2 and I expect to have a 22 inch dick.
Re:WTF by dzfoo · 2010-08-04 20:35 · Score: 1

You mixed your imperial and metric units again.
-dZ.

--
Carol vs. Ghost
...Can you save Christmas?

Lots of ways to know by SuperKendall · 2010-08-04 17:23 · Score: 1

That's a mighty big "if" in there... There's no way to know, since root access also means you can completely cover your tracks, leaving no trace that you were even there.

It's not such a big if given the number of people that are on the lookout for active iPhone exploits. Plus you can always notice by outbound communication or by difference in backups. Also it kind of doesn't matter, because anything that managed to install would only be alive until the next iOS update, which would overwrite wherever it might be hiding.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Lots of ways to know by LinuxAndLube · 2010-08-04 19:43 · Score: 1

As root, why wouldn't I be able to mess with the update process?
Re:Lots of ways to know by LynnwoodRooster · 2010-08-05 23:19 · Score: 1

So basically, you'll only be 100% compromised and have every single shred of data exposed to whomever wanted it until you get around to installing the next update. Good to know!

--
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Re:Lots of ways to know by LynnwoodRooster · 2010-08-05 23:23 · Score: 1

Precisely. When you're root, you can pretty much do as you please. There's nothing to say that pwned phones won't still be compromised, short of doing a complete wipe and re-install, and that simply won't be suggested by Apple since it seriously highlights the nature of this security breach.

--
Browsing at +1 - no ACs, I ignore their posts. So refreshing!
Re:Lots of ways to know by SuperKendall · 2010-08-06 04:25 · Score: 1

So basically, you'll only be 100% compromised and have every single shred of data exposed to whomever wanted it until you get around to installing the next update. Good to know!
Which is true of any system that has been exploited. The difference is the iPhone can be updated to remove the issue more easily.
But the main thing to realize is that people are looking for those kinds of intrusions, and when found an update will be close at hand. For the current issue, there are no malicious exploits yet.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Re:Lots of ways to know by LynnwoodRooster · 2010-08-07 23:21 · Score: 1

Which is true of any system that has been exploited. The difference is the iPhone can be updated to remove the issue more easily.
No, that's not true. Many - most - exploits do not grant root access. It's one thing to open up user space, it's another to grant root access. This is about the worst level of hole you can have.
Also interesting to note that we're on to 8 days and Apple still has not released a fix...

--
Browsing at +1 - no ACs, I ignore their posts. So refreshing!

Re:fuck yea. by Anonymous Coward · 2010-08-04 18:47 · Score: 0

Very well thought out point. Can the world have back the oxygen molecules you are wasting?

Apple likes jailbreaking by SuperKendall · 2010-08-04 19:15 · Score: 1

very well known that Apple do not like jailbreaking

One of the larger figures in the movement said Apple could stop jailbreaking any time they want to, if they were serious about it.

In fact Apple may say that it's not legal (before it is) but in reality, Apple likes having a small lab where they see what people do with a totally open iPhone - it seems like some of the API's exposed are exposed exactly so you can write apps that could do only do on a jailbroken phone before.

If you really think about it, you can see that any Apple dislike of jailbreaking is a show.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Apple likes jailbreaking by exomondo · 2010-08-05 11:39 · Score: 1

One of the larger figures in the movement said Apple could stop jailbreaking any time they want to, if they were serious about it.
Nice random statement. The actions of the company show otherwise.

Apple likes having a small lab where they see what people do with a totally open iPhone
Another random statement based on nothing.

If you really think about it, you can see that any Apple dislike of jailbreaking is a show.
Why? Because you say so? Jailbreaking phones leads to piracy and security issues, both are bad for apple's model.
In any case it doesn't change the fact that your post was based on your misreading of the one you replied to.

Track Record by SuperKendall · 2010-08-04 19:20 · Score: 1

Have you looked at what this does to your iphone in it's entirety?

Me personally? No others have.

But it really doesn't matter because these are the same guys that have been working on jailbreaking since, well, forever. If they were wanting to do something nasty e would have seen evidence by now, only in a Bond movie would someone slave over reverse engineering something for five years only to then turn on the entire user base that was sending them props and lots of money via things like the Cydia app store.

I'm pretty sure none of them have cats or monocles.

Now if it were from some random guy then sure, I'd be pretty suspicious of it. But it's not.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Mr. Comma is important. by SuperKendall · 2010-08-04 19:23 · Score: 1

"No others have." The meaning sure changes a lot when you say "No, others have" as I meant to. People have been reverse engineering the jailbreak.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Lol apple by LinuxAndLube · 2010-08-04 19:39 · Score: 1

All I have to do is to press this button right here, and the '10 best gapes ever' app will simultaneously launch on millions of iPhones. It will be a sweet day indeed.

Re:Lol apple by digitalchinky · 2010-08-04 20:07 · Score: 1

So include both the iPod touch and iPad, does apple sell roughly 90 million units each year of all their iOS stuff combined? If the answer is no, then they are smaller than Symbian.

Re:Lol apple by Anonymous Coward · 2010-08-04 20:56 · Score: 0

You do realise android come on things other than phones.........

For a big name - archos has been knocking out lots of their media players using android for a while now. Theres the dell streak , oh and of course the Chinese ebay android stuff that you just cannot count accurately.

Also - theappleblog.com - nice independent viewpoint.

Re:Lol apple by randomsearch · 2010-08-04 21:15 · Score: 1

> iOS is not the biggerst mobile operating system in any way shape or form. RIM has far more devices in North America and Nokia rules the rest of the world.

Mobile phone or mobile device?

Linux by far dominates the world market in embedded systems. But who cares? O/S's are not football teams.

RS.

Re:Lol apple by AmonTheMetalhead · 2010-08-04 21:48 · Score: 1

Ahem... "SIM cards disable that setting" It's more of an issue with the operators....

Re:Lol apple by knarf · 2010-08-04 23:13 · Score: 1

iOS is the biggest mobile operating system player right now

Ehhhh... did you forget about those other mobile operating systems? Symbian is a lot bigger than iOs. Android has overtaken iOs in the US by quite a large margin. Search $favourite_search_engine for 'android ios OR apple market share' and you'll find a whole lot of opinions, often diametrically opposed, on this subject. Follow the money to see where the truth lies (no pun intended).

Don't believe everything the priest says.

--
--frank[at]unternet.org

Re:Lol apple by Anonymous Coward · 2010-08-04 23:40 · Score: 0

Even allowing for a hefty margin of error, compared to Symbian, iOS is a very distant third.

What's Symbian?

Re:Lol apple by juasko · 2010-08-04 23:45 · Score: 0

As if Windows havn't had these bugs...

Re:Lol apple by juasko · 2010-08-05 00:00 · Score: 0

And adnriod is far behind Symbian...

Face it none of them is the largest. Nokia is the largest which even Steve Jobs said in an interview. Nokia just aint American why Americans have little clue of what Nokia is. Nokia started up as a rubber bot maker, then car tires, mobiles phones, monitors and more. Now Nokia has sold of the other focusing on the Mobile Phones.

But yeah Nokia sux compared to iPhone. Also Android is still smaller than iOS, but did sell more last quarter compared to iphone. But that is like comparing Apple trees with Apples. Apples should be compared against Apples. So the iphone should be compared to the HTC's xor Samsung xor SonyEricsson Andrioid phones.

Just as Macs have a global share of 5% which is huge if you compare it correctly against an other computer manufacturer as Dell or HP. But MacOS has a low marketshare when compared correctly against Windows.

Nope Andrioid is still to beat the total marketshare of iOS. But iOS if far from the largest out there.

Re:Lol apple by juasko · 2010-08-05 00:24 · Score: 0

Ur right but Android has not overtaken iOS yet. But last quarter they did sell more, but that might be because everyone wanting an iPhone was waiting for the iPhone4 just as me.
Android has to repeat lastquarter results a few times before they are larger than iOS.

Re:Lol apple by juasko · 2010-08-05 00:29 · Score: 0

Maybe true in USA... but USA is small comapared to the "rest", just as the way Americans want to view non Americans.

Re:Lol apple by Kevin+Stevens · 2010-08-05 00:54 · Score: 1

Symbian is all but dead, blackberry is still in the lead, but is losing ground fast- and this is despite the fact that in the business market the blackberry is pretty much ubiquitous. Android is gaining ground at a tremendous rate.

This was just on slashdot a few days ago:
http://bits.blogs.nytimes.com/2010/08/02/android-passes-iphone-for-new-subscribers/

And you know what's really funny? by Anonymous Coward · 2010-08-05 01:10 · Score: 0

My 3g phone has horrible, horrible performance with iOS 4. It's slow. Its battery drains faster than normal. The phone runs HOT just browsing the web. Its response time is so poor it's hard to answer incoming calls with the usual swipe.

The upgrade is worse than Vista.

But iOS 4 contains bug and exploit fixes from 3.013.

Increasingly, it looks like I have a phone that works. Or a phone that's secure, since it looks probable that Apple is going to drop support for the 3g since its hardware is so much different than 4's.

Nice one, Apple!

Re:Lol apple by Kielistic · 2010-08-05 02:33 · Score: 1

Symbian has the largest market share of them all. How you consider that dead I am not sure.

Re:Lol apple by jmauro · 2010-08-05 04:08 · Score: 1

Because most Symbian phones are marketed under the name of the producing companies (like Samsung or Nokia) and not with the Symbian name most people are under the impression that the company died a long time ago.

It's also not a very popular phone in the US\Canada market since Blackberry and Apple fit as a the market leaders in the smartphone space. Means people in the US rarely hear about it.

Re:Lol apple by jmauro · 2010-08-05 04:12 · Score: 1

The Nokia smartphone OS. Been around since about 1986 in various forms.

Symbian devices are rarely marketed as such and usually just sold as a "smartphone".

Re:Lol apple by Skuld-Chan · 2010-08-05 04:17 · Score: 1

Nokia's marketshare globally is flat, and in the US has been declining for a while. The situation is so bad they are looking for a new CEO.

While it is still number 1 - its a very precarious situation as they still haven't launched the N8 - a phone arguably that should have come out 2-3 years ago.

They also lost a lot of customers (like me - and Symbian Guru blogger) over the N97.

Wrong, that is YOUR stuff by SuperKendall · 2010-08-05 12:11 · Score: 1

Nice random statement. The actions of the company show otherwise.

The actions are that jailbreaking is not specifically blocked by Apple, as it could be.

End of story.

Therefore you are wrong.

Apple's actions show the actually support jailbreaking, as opposed to public bluster.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Wrong, that is YOUR stuff by exomondo · 2010-08-05 12:22 · Score: 1

The actions are that jailbreaking is not specifically blocked by Apple, as it could be.
Bullshit, show some proof of how apple can stop jailbreaking altogether.

End of story.
Nice lame attempt at authority. It's not 'end of story' just because you make baseless comments.

Apple's actions show the actually support jailbreaking, as opposed to public bluster.
Yeah, they tried to make it illegal and void your warranty if you do it. Real supportive actions there.

Think like a blackhat by Anonymous Coward · 2010-08-05 13:06 · Score: 0

In case you get notifications on this stale article... Your entire response shows that you are thinking like a nice, trusting guy. You are thinking about how someone would misuse the features the developer intended to implement. You are ignoring how a blackhat would misuse the bugs the developer never intended.

In face recognition, you don't just attack the faces in the database with lookalikes, you attack the machine-vision algorithm to make it go crazy and generate invalid results, overrun image buffers, etc.

In voice recognition, you could similarly try to break the signal processing code that finds words, in case it doesn't have proper spectral filtering. Although, it could be fun to find ways to obscure voice commands with noise so that the user doesn't hear them but the voice command system does after filtering noise, making the phone do things when the user would least suspect.

Think fuzz-testing. The real devices in the wild can be subjected to crazy patterns never envisioned in the lab. And there are so many devices, that an attack could have low probability of success on each attempt, yet still break many phones just by spamming them with signals in a crowded, public space.

Finally, you say exploits are rare and these double exploits even rarer, while I say here is an existence proof that they are quickly found and attacked. In the last 15 years I have spent considerable time on runtime systems and virtual machine models, and learned that the only constant is new covert channels and leaks. They are not safe.

Didn't Apple say the other day... by Anonymous Coward · 2010-08-06 01:12 · Score: 0

The fixes for these are going to be in the iOS 4.1?

Update process is external by SuperKendall · 2010-08-06 04:20 · Score: 1

As root, why wouldn't I be able to mess with the update process?

A very good question.

On the iPhone, updates are handled by iTunes. It basically overwrites the system, and then overlays your user data back on top of it. The iPhone doesn't really get to have a say about what happens to it.

That's one of the reasons why those wanting OTA (over the air) updates might want to think twice, although they are more convenient.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Update process is external by LinuxAndLube · 2010-08-10 20:27 · Score: 1

I don't have an iPhone, but doesn't it use USB or WiFi to connect to the iTunes host? In that case, the malware can change the USB/WiFi protocol stack to protect itself from updates.

Precisely - wrong! by SuperKendall · 2010-08-06 04:23 · Score: 1

Precisely. When you're root, you can pretty much do as you please.

When you're root, can you stop the user from connecting a cable?

Oops! Guess you should have thought through your answer a bit more and actually read up on the iPhone update process. Read my response to the original poster to see just how off you were.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Precisely - wrong! by LynnwoodRooster · 2010-08-07 23:23 · Score: 1

I know you're a resident Apple Fanatic, but if I have root access, I can change any bootloader/access file I like. The ONLY way to eliminate my root malware is to completely wipe and re-install, as I stated. If my malware is left in there at root, I will guarantee that I can stop you from loading over my files - I'm root, I can do whatever I want.

--
Browsing at +1 - no ACs, I ignore their posts. So refreshing!

That is the most important by SuperKendall · 2010-08-06 04:35 · Score: 1

My interest is in the secondary exploit.

Me too, that's what really makes everything interesting. An exploit in any one app doesn't matter without a way to break out of the sandbox. I've not found any details on that part though.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Wrong II - The Re-Wrongining by SuperKendall · 2010-08-08 08:30 · Score: 1

I know you're a resident Apple Fanatic, but if I have root access, I can change any bootloader/access file I like.

You have root access to the iPhone. The bootloader is on the computer where iTunes is located... the update process turns the phone off and writes out new data. What exactly are you doing as root again?

The ONLY way to eliminate my root malware is to completely wipe and re-install, as I stated

Which is what it does...

At this point, usually someone who has been such a titanically wrong jackass will admit they were wrong and apologize to save some small shred of dignity. I accept you apology in advance, though frankly I have no need to read whatever kooky excuse you come up with for your misunderstanding in you next post so you're pretty much just setting your own mind at ease.

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Slashdot Mirror

Two Unpatched Flaws Show Up In Apple iOS

171 comments