Slashdot Mirror

← Back to Stories (view on slashdot.org)

Two Unpatched Flaws Show Up In Apple iOS

Posted by samzenpus on from the rotten-apple dept.

Trailrunner7 writes "The technique that the Jailbreakme.com Web site is using to bypass the iPhone's security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities. One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple's mobile devices, including the iPad and iPod Touch, display PDFs. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox. The combination of the two vulnerabilities — both of which are unpatched at the moment — gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store."

7 of 171 comments (clear)

  1. Re:Lol apple by tacarat · · Score: 5, Insightful

    I remember my old brick of a cell phone back in the 90s. No published exploits yet. Sometimes simpler is better...

    --
    "Common sense will be the death of us all"
  2. Re:Rather unlikely scenario required by Spy+Hunter · · Score: 5, Insightful

    Um, the fact that jailbreakme.com works is proof that all those things are lining up perfectly. This is a real working exploit.

    --
    main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  3. Falsely implied security by mrsteveman1 · · Score: 5, Insightful

    Back when Apple was trying to convince the public to accept this locked down app store model, one of the justifications was malware protection, specifically Jobs himself cited bluetooth worms. But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop. The only other attack vector that Apple stops with this model is the fake screensavers, but apparently they aren't so good at catching unwanted code in the app store either, i believe there was a personal information theft app a few months back and just a few weeks ago there was a covert tethering app.

    So i have to ask, if a website can line up a few exploits like this and compromise the entire device to the level needed to actually break the chain of trust Apple has created, what is the point of all this shit? Just so Apple can control their OS environment like a dictator?

  4. Re:Lol apple by h4rr4r · · Score: 5, Informative

    iOS is not the biggerst mobile operating system in any way shape or form. RIM has far more devices in North America and Nokia rules the rest of the world.

  5. didn't you just argue FOR the app store? by SuperKendall · · Score: 5, Insightful

    But the more these things start to look like and function like a general computer, the most likely attack vector is through websites just like on the desktop

    You just made the argument for why users should only use applications vetted from a store instead of the general web.

    Happily the iPhone actually doesn't impose any restrictions on web use.

    I just thought it was odd you were trying to argue against the security benefits of a closed app store using a bug in a totally open browser model.

    The point of the app store would then be that the more applications users used, the less exposed they would be to web bugs. We know attackers inject exploits into popular websites all the time.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  6. Products based on exploits by Calibax · · Score: 5, Interesting

    I don't know if this scenario is valid, as I don't have an iPhone that can run iOS4. But here goes anyway.

    So someone takes their iPhone and jailbreaks it. The two bugs that allowed this are still present in the jailbroken phones so the phones can also be pwned by anyone who comes up with a different exploit that uses these bugs. Clearly the phones can't be updated to 4.1 (as they are jailbroken) so unless someone produces patches independently of Apple they will remain in these jailbroken phones until they are discarded or reset to the official post 4.1 iOS. I wonder how many non-geeks who are persuaded to jailbreak their phones will realize this.

    Here's the root of the issue. When someone decides to use an exploitable bug for their own purposes they are not doing any favors for themselves or their users. Exploitable bugs should be reported so they can be fixed, not used to develop your own products - however popular the products might be in some circles. That might well be an unpopular view in this forum, but there it is.

  7. How will Apple correct this? by chrism238 · · Score: 5, Funny

    Will Apple just place the patch in a PDF file on their website, for us all to download and auto-install?