Slashdot Mirror
Two Unpatched Flaws Show Up In Apple iOS
Trailrunner7 writes "The technique that the Jailbreakme.com Web site is using to bypass the iPhone's security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities. One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple's mobile devices, including the iPad and iPod Touch, display PDFs. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox. The combination of the two vulnerabilities — both of which are unpatched at the moment — gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store."
More secure does not equal completely secure.
Though you do bring up an interesting point. iOS is the biggest mobile operating system player right now, and even with that large market share, so far nobody has turned all of those iPhones into a botnet. If Windows had the same bug, we would have millions of maliciously compromised systems by now. What gives?
How do you know millions of phones aren't already compromised? They could just be sitting there quietly, waiting for the dust to settle a bit.
Do we need antivirus/antimalware on smart phones now? Welcome to the 21st century.
I'd say both, and wonder, is their code open to scrutiny? I'd love to see someone verify and certify that there's nothing malicious with their code. One can argue, however, that any other site could use this in a harmful manner. This is a *real* concern. So while the jailbreak is nice, what isn't so nice?
iOS is the biggest mobile operating system player right now
Yep, it sure is. I mean, if you don't count Android
I remember my old brick of a cell phone back in the 90s. No published exploits yet. Sometimes simpler is better...
"Common sense will be the death of us all"
Um, the fact that jailbreakme.com works is proof that all those things are lining up perfectly. This is a real working exploit.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Back when Apple was trying to convince the public to accept this locked down app store model, one of the justifications was malware protection, specifically Jobs himself cited bluetooth worms. But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop. The only other attack vector that Apple stops with this model is the fake screensavers, but apparently they aren't so good at catching unwanted code in the app store either, i believe there was a personal information theft app a few months back and just a few weeks ago there was a covert tethering app.
So i have to ask, if a website can line up a few exploits like this and compromise the entire device to the level needed to actually break the chain of trust Apple has created, what is the point of all this shit? Just so Apple can control their OS environment like a dictator?
The 'remote' part of the exploit sort of shits all over the 'feature' argument.
Nerd rage is the funniest rage.
BlackBerry? Symbian?
How can I believe you when you tell me what I don't want to hear?
I am not sure why people keep quoting that article when it comes to OS share. Apple sells more iPod touches and iPads than iPhones. Android barely squeaks past just iPhone and only in the US market. I do expect that one day Android will dominate the market, but it has a long way to go.
The problem is, it doesn't just allow you to jailbreak your phone. It allows anyone who can get you to view a pdf in the browser to own your phone -- that makes it a flaw, most definitely.
Although various Windows versions may well be less secure than their contemporary Mac versions, Windows was always more vulnerable simply because there was a bigger incentive to attack it (i.e., more users).
Seems that Apple is now paying the price for popularity.
Seems that Apple is now paying the price for popularity.
What price? There are as yet no malicious attacks that make use of this attack vector. The only thing that does is using it as a utility that the user invokes on purpose, and even has to swipe to activate it!
Currently Apple users are not paying any price despite having a very popular mobile platform that every now and then has well-publicised vulnerabilities. Hmm.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
iOS is not the biggerst mobile operating system in any way shape or form. RIM has far more devices in North America and Nokia rules the rest of the world.
This is a feature in the same way the antenna problem is: "Well, at least I get a free bumper out of it!"
iOS is the biggest mobile operating system player right now
Yep, it sure is. I mean, if you don't count Android
Count Android all you like, if you count every Android device sold to date it would not equal the number of iPhone and iPod Touch units sold.
The Touch (and iPad) all run the same mobile iOS the phones do.
Note that link was from back in 2009...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Somebody could rewrire the phone lines to my house too, but I don't count that as a vulnerability in the simple electronics in my land line phones.
http://michaelsmith.id.au
But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop
You just made the argument for why users should only use applications vetted from a store instead of the general web.
Happily the iPhone actually doesn't impose any restrictions on web use.
I just thought it was odd you were trying to argue against the security benefits of a closed app store using a bug in a totally open browser model.
The point of the app store would then be that the more applications users used, the less exposed they would be to web bugs. We know attackers inject exploits into popular websites all the time.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Often the patches will not undo already jailbroken systems. So there's that possibility.
But if someone finds they like the jailbreaking, they can just use whatever mechanism will come along to jailbreak 4.1. Usually it's not as dramatic as a browser bug and it involves running an application on your main computer to alter your attached device, but it's easy enough for anyone interested to keep going.
Another option is that jailbreakers can simply replace the 4.0 PDF library with the 4.1 version (if compatible).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This just in... Apple bans PDFs on Apple devices... Steve Jobs was quoted as saying "PDFs are yesterday's portable documents - nobody uses them anymore. So we've decided to stop supporting PDFs on Apple devices. In addition, we've decided to not allow any media on our devices that you can't obtain through the iTunes Store. This way nobody can make our devices unstable and insecure like kernel vulnerabilities and overheating chipsets - oh wait..."
I don't know if this scenario is valid, as I don't have an iPhone that can run iOS4. But here goes anyway.
So someone takes their iPhone and jailbreaks it. The two bugs that allowed this are still present in the jailbroken phones so the phones can also be pwned by anyone who comes up with a different exploit that uses these bugs. Clearly the phones can't be updated to 4.1 (as they are jailbroken) so unless someone produces patches independently of Apple they will remain in these jailbroken phones until they are discarded or reset to the official post 4.1 iOS. I wonder how many non-geeks who are persuaded to jailbreak their phones will realize this.
Here's the root of the issue. When someone decides to use an exploitable bug for their own purposes they are not doing any favors for themselves or their users. Exploitable bugs should be reported so they can be fixed, not used to develop your own products - however popular the products might be in some circles. That might well be an unpopular view in this forum, but there it is.
Android and iOS combined don't even come close to Symbian.
Since it's not a modern mobile OS on just about all those phones the point is irrelevant. Like saying there are not as many Android devices as grains of sand on all the beaches in the world.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That page doesn't say that at all. You've quoted numbers (and even incorrectly inflated the iOS numbers by instead quote the linux desktop numbers) about browser strings. If you scroll down, you will see a VERY different picture of the marketplace for mobile devices (including iPhone, iPad and iPod):
From Gartner:
Symbian: 44.3%
Blackberry: 19.4%
iOS: 15.4%
Windows Mobile: 6.8%
Android: 9.6%
Linux: 3.7%
Other: 0.7%
Even allowing for a hefty margin of error, compared to Symbian, iOS is a very distant third.
Because iPhones are lacking in both performance and net access compared to even a low-end Windows machine, so they're mostly useless for botnets.
And you really need a reality check if you think iOS is anywhere *near* the biggest mobile OS.
No problem is insoluble in all conceivable circumstances.
Actually, at the moment, only jailbreakers can be *safe* from this vulnerability. Google "PDF Loading Warner". Ironic, isn't it?
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
while this exploit shows that you have to also consider malicious data which injects code via existing "vetted" apps
That implies if an app store app had a security issue it would be an issue beyond that application. That is generally not the case since the apps are all well sandboxed and cannot affect the system. Messing with an approved app via some flaw would usually get you nothing but a corrupted app. You can't even modify the app binary from the app itself...
I'm not even sure breaking an app would be able to get you to the same system privilege exploit break Safari is able to reach, since Safari is a system app that possibly has slightly more leeway in access to the system.
I await the audible or visual hack that gets a malicious pattern in through the microphone or camera, and then triggers bugs in the apps that try to do clever things with sound, image, or video!
I've read about that concept before and it's a cool thought experiment, but in reality I don;t think that's a practical line of attack since the full range of possible data from those forms of input is so well understood by things processing it and so limited in scope. Anything going in through the camera is going to have pixels with RGB values ranging from 0 to 255 in an array of pixels at a specific size, there's just no input you could give that would break anything. Basically the A/D converters are acting as a kind of firewall for your input, preventing data outside the extremes to be processed
MAYBE you could devise some kind of sequence that would break the autofocus system when presented with a specific set of targets, but even then could you inject code once you had broken AF? It seems well beyond practical to be able to do so even just for research purposes.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That we know about.
True, but if we have not heard of any then the infection rate is pretty low - after all you have to get the exploit up on a site and then get the person to visit that with the iPhone browser.
I would argue that most browser use on mobile devices is going to well-known sites (like your favorite news site, bank, etc) so the chances of a rogue website affecting random users seems pretty low.
Given there's working example code showing how to use the exploit you would actually expect something harmful pretty soon, but I've seen no signs of anything. Perhaps anyone who would target it figures since a patch will be out in a few days there's not enough potential gain.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The Gatner article you are referring to clearly states that those marketshare numbers are for cell phones. The majority of iOS devices are not cell phones at all.
Those stats are just 1Q2010 sales, which may not be indicative of the total market share of phones currently in use. It's still a much better statistic than the one based on User-Agent strings though. With phones being replaced on average every 2 years though, one quarter worth of sales is an okay indicator, although Blackberry hasn't released too many phones recently.
The ComScore list appears to be better although they don't really say what their methodology is. They don't include Nokia in their list of smartphones and only have stats on US subscribers though...
(May 2010)
RIM 41.7%
Apple 24.4%
Microsoft 13.2%
Google 13.0%
Palm 4.8%
Certain a feature, if by feature you mean a remotely exploitable root vulnerability. Yes, definitely a feature. For crackers.
For the rest of us it's a pretty critical flaw, namely one that can 0wn yr ph0ne by visiting a malicious website.
"I think it would be a good idea" Gandhi, on Western Civilisation
I'd suspect even Google would make more effort to lock down Android if stuff like Installous was floating around there (is it? I have no idea).
You don't need anything like Installous on Android, because Android doesn't limit where you can install apps from. Once you check the "Allow installation of non-Market applications" option, you can just point the browser at a link to a .apk file.
Google is addressing paid-app piracy, but not by locking down the OS. Instead, they're letting apps check with Google's servers to verify that the app has been purchased by the person who's running it.
Visual IRC: Fast. Powerful. Free.
How about when the camera starts to do face recognition (like most point-and-shoot digicams do today) and also starts to recognize bar codes and the square patterns like the ones that the Android app store uses? How about voice recognition and commands built into the machine? The smarter you make these things, the more complex they become. At a certain level of complexity, you lose assurance that the security works properly. It takes exponentially more time to vet the system as the complexity increases.
What makes you think the apps are safely sandboxed if the browser isn't? If the browser isn't sandboxed at all, why the fuck not? If it is and this still happened, then the sandbox isn't all that effective, especially if you can get someone to run code locally and call native APIs.
I realise it's academic - but why not?
Another way to put it might be: "If it's not completely secure, it's not secure at all".
You are welcome on my lawn.
Apple announced earlier today that they already have a fix and it will roll out soon. It takes about 2 weeks to update half the platform, and another month to get most of the rest.
iOS is the biggest mobile operating system player right now
bullshit!
Of course it's with your phone:
Your phone should warn you and it doesn't. It's a vulnerability in your phone.
Dilbert RSS feed
What makes you think the apps are safely sandboxed if the browser isn't?
For one thing, I'm an iPhone developer so I know the exact constraints of the application sandbox.
But also - the browser is sandboxed. Read details of the attack, it breaks the browser but then ALSO uses a second attack to escape the browser sandbox. The question is if the same thing is possible for any application, or if the sandbox exit is unique to Safari.
But having two exploits in alignment is a rare thing. It's rare enough that exploitable bugs in both systems will be hard to come by, and if malware writers are not exploiting the current bug in Safari why would they do so with the much smaller attack space of any one application?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Will Apple just place the patch in a PDF file on their website, for us all to download and auto-install?
Everyone does realize that the OS of their smartphone has no relation to dick size, right?
What the hell are folks arguing about, anyways? I would figure it's pretty awesome we live in an age where we can decide from multiple choices what advanced operating system will run our phone. That actually gets toward shit I wouldn't have expected growing up.
But I guess folks have been getting pissed about other people's choice of OS for years. I really wish I understood why people get so pissed about that sort of thing. Operating systems are tools, not cults.