Apple IOS 4.3.4 Jailbroken Hours After Update

Stoobalou writes "The cat and mouse game between Apple and the jailbreaking community continues unabated as an updated version of PwnageTool hits the web just hours after apple updated its iOS mobile operating system to lock out the JailbreakMe PDF-based exploit."

It's a drive-by download exploit

[engineerpop]

Here is a fixed title: Apple IOS 4.3.4 Drive-By Exploit Released Hours After Update

All a malicious person needs to do is make a porn site for iPhone and iPad users and use the PDF exploit to gain root. Then they can for example install a hidden app that calls and sends sms to premium rate numbers, or do anything else they desire with the device. But somehow this exploit gets turned as a great thing all while the same users are touting how secure their Apple products are.

Re:It's a drive-by download exploit

[Goaway]

"The same users"? I'm sure you can provide an example of the same person saying those two things, yes?

Re:It's a drive-by download exploit

[sgbett]

I don't hold out much hope. His comment doesn't even make sense to anyone who has actually read the article. 100% troll.

Re:It's a drive-by download exploit

[Samantha+Wright]

When JailBreakMe 2 and 3 (the version that iOS 4.3.4 fixes being 3) were released, they came with a patch in Cydia to fix the underlying vulnerability. Not only are jailbreakers conscious of iOS's flaws, they're willing to clean up after themselves. The only people not protected against your drive-by hidden app are those smart enough to jailbreak but dumb enough not to patch, which is a fairly small market segment, because the usual "too-dumb-to-upgrade" population is replaced by the "click-yes-to-everything-iTunes-says" population.

Sorry, but even tried-and-true wisdom doesn't apply everywhere.

Re:It's a drive-by download exploit

Spoken like a true Appleologist.
Take Jobs's cock out of your mouth when you speak to the big boys.

Re:It's a drive-by download exploit

[tripleevenfall]

This is the internet... we normally don't require MLA citations for things that are more or less common sense.

Re:It's a drive-by download exploit

[Anubis+IV]

Here's a fixed title for you: Slashdot user fails at basic reading comprehension. It is NOT a drive-by-download exploit. The drive-by-download PDF vulnerability existed in 4.3.3 but was rapidly patched with the release of 4.3.4, and it has yet to be reopened as a viable exploit. Instead, what these hackers/developers/<your spin here> have managed to do is update their tethered means of jailbreaking to work with 4.3.4, but it currently requires being tethered to your computer with each and every reboot, otherwise you lose root. It's about as far from a drive-by-download as you can imagine and is not currently susceptible to malicious attacks unless you compromise physical access to your device. Now, pardon me while I tout how secure my Apple product is.

Re:It's a drive-by download exploit

[robmv]

WRONG answer, all those users that do no jailbreak their iPhones (a lot of people) are vulnerable to this attack, those are not jailbreak possibilities, those are big security vulnerabilities that are used to jailbreak. I am pretty sure any other OS manufacturer bug like this will be called like they must be called "Security bugs" and not jailbreaks

Re:It's a drive-by download exploit

[gl4ss]

yeah the new exploit is tethered only this time. so it only took apple couple of weeks(?) to fix the browser accessible hole.

Re:It's a drive-by download exploit

[Bert64]

However jailbreak users had a fix for this vulnerability available immediately right from the device itself, while non jailbreak users had to wait for Apple to provide one, and then must tether their device to a computer, download a large firmware file, reflash it and then restore all their settings to the device in order to be immune to the exploit.

Re:It's a drive-by download exploit

[CheerfulMacFanboy]

Here's a fixed title: "engineerpop Too Stupid To Tell Difference Between Drive-By Exploit And Tethered Jailbreak"

Re:It's a drive-by download exploit

[Goaway]

Translation: "I never question things I want to be true, I just call them common sense instead."

Re:It's a drive-by download exploit

[RMingin]

You're going to call and send SMS with an iPad? Good luck with that.

"Use premium data" maybe? Again I lawl, sir.

Re:It's a drive-by download exploit

[Duradin]

Common sense is not common and what is touted as "common sense" rarely makes sense when scrutinized.

For example, any political campaign that runs with a core "common sense" message.

Re:It's a drive-by download exploit

It's common knowledge that common sense is usually wrong.

Re:It's a drive-by download exploit

[PNutts]

Yes, I don't go to porn sites to look at the pictures. I read the (PDF) articles.

Re:It's a drive-by download exploit

[PNutts]

However jailbreak users had a fix for this vulnerability available immediately right from the device itself, while non jailbreak users had to wait for Apple to provide one, and then must tether their device to a computer, download a large firmware file, reflash it and then restore all their settings to the device in order to be immune to the exploit.

I don't let third parties patch my systems, at work or at home. But... Both tethering and the large firmware file are accurate but no longer true in iOS5 due possibly in September. The reflash and "restore" is currently handled by iTunes in one operation. I use the bunny ears for restore because I don't know the specifics, but the end user experience is to click "OK" when prompted to update and a bit later the phone is updated and ready for use. There is no separate restore.

Re:It's a drive-by download exploit

[dgatwood]

Restore all your settings? Only if you jailbreak. Normally, the upgrade process does not involve any sort of restore....

Re:It's a drive-by download exploit

[jellomizer]

That is the rule of the internet. Just remember about 1/2 of the population has below average intelligence.

Re:It's a drive-by download exploit

[JMJimmy]

100% of the internet population is over-opinionated and under-informed

Re:It's a drive-by download exploit

[isama]

That may be your opinion, but I think you should read some more.

Re:It's a drive-by download exploit

[UncleTogie]

I believe your premise is over-thought and overrated, and humbly suggest you collect more data before making said assumption.

Re:It's a drive-by download exploit

[node+3]

Um, what?

Steps you listed, for jailbreakers:

1. There is no step one.

Non-jailbreakers:

1. Wait for Apple
2. tether to computer
3. download a "large" file
4. reflash it
5. restore settings

You artificially expanded one set of steps, and collapsed the other. Why is that?

Re:It's a drive-by download exploit

[hairyfeet]

Well anyone who has watched Pwn to own or read the article posted on OSNews on OSX knows that security in the Apple camp as largely been a gift of security through obscurity which the incredible numbers put up by the iPhone and iPad killed pretty damned dead. Oh and before someone chimes in (as they always do) that they go after the Mac over the WinBox because the Mac is nicer? Protip: The first one to drop ANY machine gets $10,000 so risking that amount on trying to get a Macbook one could easily buy with the check would be dumb and those guys ain't dummies.

I'd say the real problem for Apple is they have both the white and black hats trying to crack them, the whites to jailbreak their iShiny while the blacks want to pwn the iShiny. Maybe they should take the whites out of the equation by offering a "void warranty and jailbreak now" button?

That would leave just the black hats which admittedly will be a MUCH harder problem, just look at how many years it took for MSFT to get Windows from the crazy 19 infections per 1000 boxes with WinXP to the 4 per 1000 with 7. They had to harden the OS with improvements to DEP, ASLR, process isolation, hell if that isn't enough for you you can do what I did with my customers and add Structured Exception Handling Overwrite Protection which works beautifully without any programs hanging.

But what Apple has ended up with is gonna be more than a bit of a puzzler, as the devices iOS runs on aren't really powerful enough to deal with the overhead of the above security features, yet people still expect to be able to install and run programs on the things like a laptop. Short of ripping out support for most functions and instead having everything go through Apple's servers in a thin client kind of way I just don't see how they are gonna stop the malware guys. The malware guys have seen the numbers of sales, have seen there is blood in the water, and now the sharks are coming wanting a bite. It doesn't help I've had conversation with Apple users that still believe the "Apple is immune to malware" meme, at least the Windows and Linux users see and accept the web is a dangerous place.

Perhaps the thin client model is the way to go for Apple. They certainly have the server capacity now and it would fit right in with their walled garden approach, the only question is would streaming everything client server style clog the networks worse than they are. Doesn't Opera already do this with their mobile browser BTW? Maybe taking a page from their book wouldn't be such a bad idea.

Re:It's a drive-by download exploit

[BitZtream]

Considering mine iPad has cellular and a phone number, its not like its impossible.

Of course, I do actually send and make calls if for some reason my phone doesn't work, on my ipad ... but thats VoIP which is only brought into play if the closest landline is at least 48 hours away from me at best possible speed, but thats with another couple of non-builtin apps I've added.

Re:It's a drive-by download exploit

[RMingin]

That's nice. My iPad 3G has been doing those things for over a year as well. Those are through apps, not natively. Unless the exploiters are writing and installing a custom baseband, they are NOT making premium SMS or premium calls from either of our iPads. I doubt AT&T would know what to do if you spoofed a data iPad's SIM and tried to make a call, they'd probably just drop the connection.

Realistically and unsurprisingly

[pinkushun]

Did you expect otherwise?

In the words of Stanley Jobson, from the film Swordfish, "Nothing is impossible."

Note: "There was an unknown error in the submission", constantly. I suspect you think this is spam, or the hamster in your wheel has died. so please let this post go through, comment system.

Re:Realistically and unsurprisingly

[MobileTatsu-NJG]

Did you expect otherwise?

Yesterday Slashdot's summary said the last update was to prevent jailbreaking. The article said it was to fix the PDF vulnerability. So, yes, you might expect otherwise if you weren't terribly well informed on the topic.

Re:Realistically and unsurprisingly

[rbrausse]

Note: "There was an unknown error in the submission", constantly. I suspect you think this is spam

nah, /. implemented Hotmails ban of common passwords and "swordfish" is on the list...

as a more serious remark: no, I didn't expect a different outcome of the update. It seems that Apple is way too exposed, the [add color]-hat scene has a new interesting opponent - it is boring to hit guys already lying on the ground. But Apple fights like hell to keep their secrets secret, obviously irresistible for hackers.

This reminds me of the PS3 debacle: The system was attacked after Sony removed the playground "other OS", I believe that a more open approach for iDevices (like store-independent software installation) would decrease the breaking attempts.

Re:Realistically and unsurprisingly

[ultranova]

But Apple fights like hell to keep their secrets secret, obviously irresistible for hackers.

Apple doesn't fight to keep their secrets secret, it fights to sell you their iCake yet keep it too.

Frankly, it's about time this idiocy stops. In no other business can you sell someone a device, then charge for its use. And program industry with their "licensing" nonsense is even worse. Can't these creeps be dragged to the court and dealt with, so the industries can heal and start working according to the normal concepts of "buying" and "selling"?

This reminds me of the PS3 debacle: The system was attacked after Sony removed the playground "other OS", I believe that a more open approach for iDevices (like store-independent software installation) would decrease the breaking attempts.

"I am altering the deal. Pray I don't alter it any further." - Sony

Re:Realistically and unsurprisingly

I thought the meme was "the impossible is nothing."

Re:Realistically and unsurprisingly

[BasilBrush]

Frankly, it's about time this idiocy stops. In no other business can you sell someone a device, then charge for its use.

I'm not sure what you mean. Assuming this isn't a general comment on charges for mobile phones... What charges for use?

Re:Realistically and unsurprisingly

[jo_ham]

Well, I expected a patch, but it wasn't to "stop jailbreaking" as much as slashdot would like to think so. It's not some machiavellian plot to thwart homebrew, but a patch to close a gaping security hole (you know, what Apple gets flamed for "not doing quickly enough").

Colour me unsurprised they patched a hole that allowed root escalation via the PDF handler. I would call that "due diligence", and would be lauded by slashdot if it were fixed by anyone except Apple.

Re:Realistically and unsurprisingly

[BitZtream]

Frankly, it's about time this idiocy stops. In no other business can you sell someone a device, then charge for its use.

So at no point in your life have you ever seen a 'telephone' then have you? You buy the phone then pay to use it, its been that way since the government stepped in and stopped it from being you paid out the ass to lease a phone and out the ass to use it.

Re:Realistically and unsurprisingly

[macs4all]

This reminds me of the PS3 debacle: The system was attacked after Sony removed the playground "other OS", I believe that a more open approach for iDevices (like store-independent software installation) would decrease the breaking attempts.

This is an interesting comment (for once); So I will give it a considered reply (that someone will instantly discount solely on the basis of my username). But anyway...

While what you propose is a superficially sound idea, it does not bear up under scrutiny. Why? Because as soon as you "Tear Down These Walls", and allow "sideloading" (what an ignorant term!) of non-approved apps, there is instantly a problem, and it's one that all the Anti-Apple /. Users (Not to mention the legions of ACs...) must agree with: If OS X/iOS (with it's zero self-propagating malware) is as "whole-y" as the Linux/Android (with its 863 pieces of malware, including some self-propagating Virus/Worm stuff) is, then iOS Apps would soon be as Malware-Ridden as Android Apps have become. And nobody can deny the rampant scourge of malware/phishing/slamming stuff in some Apps targeting the "Free as in Freedom" Android "ecosystem".

So, please tell me what possible benefit could that be to 99.9997% of ANY "Mobile OS's" smartphone users, let alone iOS users??? (Yes, I know: Tethering). But even that isn't (quite) enough to throw the baby out with the bathwater, security-wise.

Someone claimed that only Windows and Linux users seem to understand that the internet is "A Dangerous Place" (apologies to Adrian Belew). Since iOS has been quite popular since the introduction of the iPhone in 2007, do you really think people just haven't been bothering to attack it much for four straight years? No, it's because the entire "ecosystem" (I really DO hate that term!) really does "work" for so many types of users (some professions are still a pain, due to lack of decent tools), that there is a serendipitous strength that neither Microsoft nor any of the popular Linux distros seem to be able to pull off.

Yes, that sounds like pure, cultish, fanboi; but, it is not. Just like I don't mind a (Well-Regulated!!!) police force, I don't mind the slight restrictions on my iOS APPLIANCE. I don't have to put up with that on my Mac; but the Developer Registration requirements for iOS, and the iOS App Store "Walled Garden" isn't such a ridiculous breach of freedom on a mobile device.

Now if they do that on OS X... But they won't. OS X is not a problem, malware-wise.

Re:Realistically and unsurprisingly

[RobbieThe1st]

Ah, but wait. You only need to pay to use the telephone on someone's network - I.e. paying for service. You're free to take that telephone and hook it up to your own internal network and not pay a dime. You can take that telephone apart and use it for anything you want without paying any service - the only time you need to pay for service is when you want to use someone else's network.

Re:Realistically and unsurprisingly

[RobbieThe1st]

So build a little tiny switch into the inside of the device, with a little hole for a pin to access it. By pressing that switch, you enable developer mode which is open. Press it again and it goes back to locked mode.
That way normal users can be secure in their walled garden, and power users can get what they want easily.
It's the approach the Chromebooks are using, and I'm impressed. I, for one, won't buy a device I can't completely root(and has an unlocked bootloader, for running custom OS's), but others may want security instead.

Re:Realistically and unsurprisingly

[..] as soon as you "Tear Down These Walls", and allow "sideloading" (what an ignorant term!) of non-approved [activity], there is instantly a problem, and it's one that all the Anti-[our people] must agree with: If [our fsm (grand may he be)] is as "whole-y" as the [heretics'] (with its [demonstrable demons], including some [very freaky stuff]) is, then [our faith] would soon be as [sacriligeous] as [the others'] have become. And nobody can deny the rampant scourge of [demonic activity] in some [followers] targeting the "Free as in Freedom" [..] "ecosystem".

Heh. And people wonder why mac advocates are so often mistaken for zealots.

Re:Realistically and unsurprisingly

[krizoitz]

You mean like video game consoles, computers, etc. which all charge you for extra games/software? You mean like a car where you have to pay for gas in order to keep it running? Or perhaps a gallon of milk which requires you to purchase another gallon after you've used it? Apple sells you a device, after which you are free to do with it as you wish. However if you wish for it to continue to be supported then yes, you are more limited in what you can do. The difference between Apple and Sony is that Sony sold products with an advertised feature and then later removed that feature. Apple never sold an iPhone that was advertised to be easy to jailbreak or easy to side load apps on to. You know EXACTLY what you are getting when you buy from Apple, and if you don't like what they offer, you have many other choices. Thats not evil, its just commerce.

Re:Realistically and unsurprisingly

[FishTankX]

Just a side comment, but when they sell you a car, don't they tax you for the roads through gasoline? Isn't that 'charging for it's use'?

You can use a cellphone off network for zero charge. You'd have the equivalent of an iPod touch. Cellphones are devices that need a network to run, much like cars need roads to run, and thus you pay seperate charges for the roads and for the device itself.

There are countless other examples. You buy a TV, then pay to use cable. You buy a heater, then pay for fuel.

While you may make the counter example that, in these cases, it's not the device manufacturer charging you to use the device, the fact of the matter is that it isn't apple charging you to use the device either. It's AT&T and Verizon who are. Apple merely supplies the device to use on their network, and verizon charges you to use it. Seems pretty reasonable to me..

Re:Realistically and unsurprisingly

[ultranova]

You mean like a car where you have to pay for gas in order to keep it running?

Do you have to buy that gas from the manufacturer or through him? Is there something stopping you from using whatever additives you desire?

But yes, cars are going in worse direction: many newer ones are made intentionally difficult to service without the manufacturer's specialized tools. This is a trend that's noticeable else where too: for example, consider printers with a challenge-response authentication for the printhead/ink refill. In such cases, have you actually bought something? Or have you merely leased it, but in such a manner that you pay a greater initial price and are on your own, should anything go wrong?

I don't want a society where I don't own and am not allowed to do what I want with my own things.

Re:Realistically and unsurprisingly

[krizoitz]

You can do whatever you want with your iPhone after you buy it, doesn't mean Apple has to support or help you do it.

Nelson from "The Simpsons"

Haa haaa!

This is TETHERED

Tethered is much easier to do, and much less useful, since it requires re-doing it after every device reboot.

Dear hackers

Thanks to your desire to run any software you wish, you're finding security holes for Apple, free of charge.

Keep up the good work.

Re:Dear hackers

[E+IS+mC(Square)]

The same guys Steve Jobs identified as terrorists?

Took /. longer to follow up

[Bob+the+Super+Hamste]

Although it did take /. longer to have the follow up to this story.

Slashdot used to be run by technical editors

No, this isn't a new jailbreak. It's an existing exploit which uses the same hardware exploit found by Geohot MONTHS ago. The exploit install software is now configured for the new iOS version is all. This is why it's a TETHERED exploit, as the untethered exploit add-on no longer works in 4.3.4.

Is anyone technical even working at Slashdot anymore?

Re:Slashdot used to be run by technical editors

> Is anyone technical even working at Slashdot anymore?
Why should there? It's News For Nerds, not News For Geeks.

Re:Slashdot used to be run by technical editors

[DavidTC]

No shit. The fact you used to be able to jailbreak your phone by visiting a website was not, in fact, a good thing. At all.

I'm against all sorts of restrictions on devices sold to people. I'd even argue we should make it illegal to restrict them that way, although for safety we should perhaps require some sort of protected reflash to jailbreak them, so normal consumers don't have to worry about viruses.

But, legally, people should be able to walk into an Apple store and demand root on their phone, and Apple would have to do it. And Apple should be able to demand you reflash back to unrooted before you get tech support with any software issue. That is my ideal world. Companies should not be allowed to keep control of devices they sell you. (Note this isn't the same as unlocking the phones, which I don't think they should have to do.)

And even in my ideal world, a website shouldn't be able to get root on an iPhone! Christ, people, think about that for a second. Of course Apple patched that.

Re:Slashdot used to be run by technical editors

[FirstNoel]

Seconded...

When people can get "root" on your pc from you visiting a website....that's bad...

Why should your phone be any different?

Re:Slashdot used to be run by technical editors

[punit_r]

That is my ideal world. Companies should not be allowed to keep control of devices they sell you. (Note this isn't the same as unlocking the phones, which I don't think they should have to do.)

I'm curious. While you argue in favor of jailbreak as a right of the customers, you are not okay with unlock.

Why is it okay for a company to disallow use of a product with any network. Once the customer has paid for the phone, its his/her choice which network to use.

Re:Slashdot used to be run by technical editors

[ccguy]

Is anyone technical even working at Slashdot anymore?

Yes, but but we still don't RTFA.

Re:Slashdot used to be run by technical editors

[sjames]

Why shouldn't they also have to unlock the phone? You're paying for it and the termination fees on a service contract assure you will pay for it even if you switch providers.

Re:Slashdot used to be run by technical editors

[DavidTC]

Because people steal iPhones. They pay for their contract with a bogus credit card, walk out of the store, and resell them.

Re:Slashdot used to be run by technical editors

[StikyPad]

The fact you used to be able to jailbreak your phone by visiting a website was not, in fact, a good thing.

Mostly true, however I might add that these exploits will almost inevitably exist as long as software originates with humans. I'm glad we're seeing them used for "good" with jailbreaks rather than for evil. Comex could easily have offered his services to the highest eastern European bidder instead of releasing a jailbreak (with the caveat that the jailbreak may well install a trojan horse for all I know.)

At any rate, IIRC "Jailbreakme" patches the exploit itself, essentially closing the door behind it on the way in. Functionality + responsibility is pretty cool as far as I'm concerned.

Re:Slashdot used to be run by technical editors

[DavidTC]

I'm not in favor of unlock because while normal people pay the termination fee (And thus should have their phone unlock.), you apparently don't know about the actual reason for locking phones.

Specifically, people walking into AT&T stores with stolen credit cards, use that name, get an iPhone and a 'contract', and walking out and resell it.

I'm all for requiring the phone company to unlock any phone that you've actually paid off, either with time or a termination fee. The thing is, they already do that. In fact, they're required to by law.

Everyone who wants their phone unlocked without that either literally stole it from a warehouse, stole it by buying it with a stolen CC, gained it by claiming it was lost and got a replacement under warranty, or they fled their contract. (The last two are not, strictly speaking, theft...just fraud.) Or they purchased it from someone who did one of those things.

There's not some magical source of locked phones out there in legit hands that need unlocking. There are only two ways for people to legitimately need unlocking:

1) They purchased a replacement phone, and want to use their old phone on a different network, or

2) They bought, or were given, a phone from someone who paid it off, but before that person had it unlocked, so now the new owner can't prove it's paid off and the phone company won't unlock it.

There's several ways to solve these problem without allowing unlocking in general. The second can be solved with better bookkeeping, and I think the burden off proof should be on the phone company to demonstrate the phone isn't paid for yet, or otherwise unlock it.

And the first could be solved by letting people pay off the balance on their phone anytime they want, which would probably be good enough for most people.

Re:Slashdot used to be run by technical editors

[DavidTC]

Perhaps when Apple forces you to buy an iDevice, you may have a point. Until then, you opt into buying it, and you can certainly jailbrake it, but don't expect them to support your efforts or your hardware after the fact. Companies have been voiding warranties long before apple when it came to running a product out of specification. This is no different.

I believe you mean 'companies have been attempting to void warranties based on random things long before apple did, and the courts and legislatures have repeated restricted their ability to do that.'

Oh wait. You probably don't even own an iDevice...

I have no idea what the fuck that has to do with anything, but I do own one. An iPhone 3G, in fact, with tethered jailbreak. (The 3G didn't have the PDF exploit.)

Re:Slashdot used to be run by technical editors

[sjames]

That's between the crooks and their carriers. People steal all sorts of things from chewing gum on up to heavy equipment. That's not a valid reason to impair everyone's ownership of what they pay for.

If the carriers would like to find a cooperative solution, perhaps they should agree to provide the unlocking codes themselves after enough payments have been made to satisfy them that the customer is legitimate and in return, we can cut them a little slack for the first few months.

Re:Slashdot used to be run by technical editors

[PReDiToR]

And they then get added to IMEI blacklists that make the phone useless.*

Carrier locks have nothing to do with fraud or theft, unless it is fraud on the part of the carrier by making people use the phones they sold them on their generic network signal.

* In the UK this happens. Does the other side of the pond use the IMEI database to make iPhones into iPod Touches too?

Re:Slashdot used to be run by technical editors

[exomondo]

Specifically, people walking into AT&T stores with stolen credit cards, use that name, get an iPhone and a 'contract', and walking out and resell it

What bunch of complete and utter morons enter into an ongoing contract with someone that just has a credit card and no identification to back it up?! Their stupidity isn't a reason to impose that restriction on customers.

Re:Slashdot used to be run by technical editors

[DavidTC]

From what I understand, the IMEI blacklist is almost useless, because almost every phone has the ability to change IMEI numbers.

Re:Slashdot used to be run by technical editors

[PReDiToR]

Up to five years in jail in the UK stops a lot of people from doing it, that and it's actually quite hard to find the instructions on "nice" forums.

Re:Slashdot used to be run by technical editors

[DavidTC]

Erm, yes, up to five years in jail stops 'legitimate owners' from doing it.

It really doesn't stop people who stolen a phone.

Tethered jailbreak

[L4t3r4lu5]

This jailbreak requires you to have your phone connected to your computer at every reboot in order to root it, and root is lost if phone is rebooted without connecting to the computer.

The PDF font handling vulnerability gave you perma-root (unthethered) and could also be used as a drive-by exploit.

In short, misleading title is misleading.

Re:Tethered jailbreak

[brim4brim]

But once you have root, why can't you just change that?

Re:Tethered jailbreak

[Dunbal]

How often do you reboot your phone? And don't you want to connect it to your computer after you do anyway, to restore stuff?

Re:Tethered jailbreak

[L4t3r4lu5]

I may have misused the term "root", as I use an Android phone (rooted, obviously :) ). "Jailbreaking" iOS may not be the same as permaroot, hence not being called "rooting", and if that's the case it's my fault for using the improper term.

Re:Tethered jailbreak

[nabsltd]

How often do you reboot your phone? And don't you want to connect it to your computer after you do anyway, to restore stuff?

Why would you need to restore after a reboot?

I don't restart my phone (Android) that much, but sometimes an app dies and leaves the phone in a less than desirable state (e.g., un-killable background tasks that eat the battery). I've never lost any data because of a restart.

Re:Tethered jailbreak

[dmacleod808]

Perhaps you misunderstand the meaning of reboot? I reboot my JB Ipad all the time (Bluefire reader crashed the ipad after JB, back to Stanza which wasnt working properly before the JB go figure) I have never had to restore anything after a "reboot"

Re:Tethered jailbreak

[barzam]

The term "root" is to be understood as "administrator rights". So once you have opened the PDF or whatever your compromised phone downloads and installs another program that persists after the phone has rebooted. In turn, this program can keep sending those sms or log your data or whatever it does.

Re:Tethered jailbreak

Ever since installing iOS 4, I've had to reboot my iPhone 3GS once or twice a week. Multitasking has killed performance on the phone as it doesn't have the RAM for it. After a few days of using different apps, it starts running dog slow. I'm usually on the bus or at work when it happens, so tethered reboots to my home computer aren't practical.

And no, you don't have to "restore stuff" after a simple reboot. If you were to wipe the flash memory clean, yes, but that's a factory reset, not a reboot.

Re:Tethered jailbreak

[L4t3r4lu5]

Rebooting in this instance (and all instances, AFAIK) means to power off and back on. This is not a destructive process (wiping, flashing, recovering etc). The temporary jailbreak for 4.3.4 does not persist through the phone being powered off and back on.

Re:Tethered jailbreak

[garaged]

Samething with ipad, but it happens every 2-3 weeks, so it is not that anoying really, I updated to untether the jailbreak
Ast weekend after some 6 months running on tetherd jailbreak and I had rebooted at most 3 times in that ammount of time

BTW the update was showing on itunes since saturday at least, I had to do a partial upgrade because of that

Re:Tethered jailbreak

Not necessarily... if the system partition is read-only & non-writeable (like it could be for certain Android models) then gaining root really can be a temporary compromise depending on the nature of the exploit.

Re:Tethered jailbreak

[frostfreek]

Have you tried killing the unused apps instead of rebooting?
Just wondering...

Re:Tethered jailbreak

[tlhIngan]

I may have misused the term "root", as I use an Android phone (rooted, obviously :) ). "Jailbreaking" iOS may not be the same as permaroot, hence not being called "rooting", and if that's the case it's my fault for using the improper term.

No, you're correct. Jailbreaking gives you root. It refers to breaking out of the jail() that iOS puts on apps, and as a side effect, also gives you root.

However, iOS has a few more security protections that make it harder to KEEP root. After all, Cydia and the like must run as root in order to work (Cydia relies on apt and debs, and grants full access to the system - something only doable via root as the iOS sandbox has limits).

You see, a vulnerability in iOS (and most other OSes) is that you can patch the in-memory images of stuff. Tethered jailbreaks rely on just that - patching the kernel images and such in memory, AFTER the security check has taken place. If you patch the kernel or other executables on disk, they will fail their signature checks and won't be loaded.

Re:Tethered jailbreak

[Scoth]

One of my big reasons for jailbreaking is installing Backgrounder and SwitcherMod to take over control of multitasking. I have it set to not background apps by default (except for a couple apps like Safari and ipod) and SwitcherMod to get rid of recently used apps in the switcher. That way it acts much more like a taskbar/dock of running apps rather than trying to hide which apps are running and which aren't. I'm smart enough to know the difference between running and not running and like being able to control what I leave running.

Re:Tethered jailbreak

[drinkypoo]

You must be thinking of older Windows Mobile devices from the era just before flash got cheap. They have only enough nonvolatile storage to hold the operating system and a handful of apps...

Re:Tethered jailbreak

Nope. There's a hardware-supported chain of trust that goes like that: bootrom->LLB->iBoot->kernelcache->userspace
bootrom is a ROM inside of the main CPU, everything else is potentially writable but sigchecked during boot; so far the only bootrom exploit found on A4 (limera1n) the DFU mode vulnerability, that needs the device to be manually booted in DFU mode using hardware buttons, and then a payload needs to be sent from the USB host (usually a PC). This vulnerability is not exploitable during normal boot path, so an 'untether' has to be used for that - a usermode app consisting of some way to avoid the userspace sigchecks, a privilege elevation exploit and a kernel code execution exploit that actually patches the kernel to allow unsigned code execution and w+x pages. Each new firmware release usually fixes vulnerabilities used by the publicly known untether.

Re:Tethered jailbreak

[Jim+Hall]

> In short, misleading title is misleading.

And old meme is old.

Re:Tethered jailbreak

[Myen]

Do you happen to know how the drive-by PDF exploit manages to keep root, then? I'm curious as I don't see how arbitrary code execution via a PDF vulnerability differs from arbitrary code execution via a cable - what sort of magic allows the former case to bypass the security checks that the latter can't duplicate?

This isn't relevant

They're using the hardware exploit, which requires changes to the hardware to fix, and requires you be tethered to perform it. Nothing new here, Seriously.

Re:This isn't relevant

[gumbi+west]

This basically means that they are out of software zero day exploits.

Having a walled garden is definitely responsible for Apple's high level of security.

Nothing Like Bragging Rights

[MikeyTheK]

Is there anything that is quite as effective as bragging rights to drive innovation (besides Economics, of course)? I don't know if security on iOS could get any better faster if you didn't have a determined group trying to break it publicly.

Re:Nothing Like Bragging Rights

[Slur]

... and in what universe does any device go unmolested? That there are crackers is just a given at this point.

Re:Hah

[Goaway]

You wish death on Steve Jobs for removing security holes in his products?

So it's a tethered jb...

[grimmjeeper]

The relevant question is: How many days until they come up with an untethered break? I give it no more than 2 weeks, tops.

Re:So it's a tethered jb...

I doubt someone will "waste" a undiscovered security bug for jailbreaking a .4 release that just fixed the jailbreaking hole - next tethered jailbreak will be with IOS5.

Re:So it's a tethered jb...

ios 5 will not be released until about the time the iphone 5 comes out early October. I can guarantee they will have an untethered jailbreak by early August.

Solution

Don't buy an iPhone.

Re:Solution

[compro01]

Or Android devices made by assholes (read: Motorola, etc.) who lock down the bootloader.

Why is this news?

Really? Why? Slow-news-day perhaps?

Re:Hah

[PopeRatzo]

removing security holes

Is that what they're calling locking down a device these days?

By your logic, if the black helicopters showed up on your front lawn and hauled you and your family away to a detention camp they'd be "removing security holes".

In a way, you'd be right, too.

Remember what Ben Franklin said about security. If you're willing to give up your freedom for security, you don't deserve either. By Franklin's logic, Apple users deserve nada.

Re:Hah

[Reverand+Dave]

>

Remember what Ben Franklin said about security. If you're willing to give up your freedom for security, you don't deserve either. By Franklin's logic, Apple users deserve nada.

I have always felt this way. "It just works" is a good way to describe the way the Burmese regime works. Of course it just works, there is not allowed to be any dissention among the ranks. If the large population of iDiots that purport to have superior products, security, etc ad nauseum actually looked at everything they were giving up just to have their comfy blanket of apple security, they'd be a little disappointed.

Re:Hah

[Goaway]

Is that what they're calling locking down a device these days?

No, that is what we call removing arbitrary privileged code execution vulnerabilities in web browsers.

I sometimes wonder about the Apple programmers...

...who (try to) secure the iphone. They're obviously going to be clever people and very capable engineers, and even though it must be satisfying to solve these problems, I sometimes wonder if they ever have any qualms about working all day to deliberately limit the functionality of a really amazing bit of kit. All the best programmers I've worked with have that tinkering, hacker (in its original sense) mentality, and if I was in their position I'd probably be wondering about the overall worth of spending my time preventing users from accessing their own filesystem.

Then I'd shrug and think about my stock options to make myself feel better ;-p

Re:Hah

[Duradin]

/. should really have a macro for that quote as much as it gets used here.

Type BFQ and autoexpand from there.

Hey!

[Haedrian]

I guess "iOS 4.3.4 Prevents Hacking and Jailbreaking" wasn't true after all.

Re:Hey!

[PNutts]

I guess "iOS 4.3.4 Prevents Hacking and Jailbreaking" wasn't true after all.

It was for about 12 hours...

Re:Hey!

[Slur]

Not so much. "iOS 4.3.4 prevents you from hacking or jailbreaking..." would be better.

not a new exploit

Correct title is. The same LimeRa1n exploiot that cannot be patched is still open.

WebOS

[SCHecklerX]

It's a shame Sprint has abandoned the HPalm line. Hopefully it will gain traction on Verizon and ATT. No 'jailbreaking' necessary. The platform is open and easy to modify to your heart's content. HP actively recognizes, encourages, and works with the homebrew community.

http://www.webos-internals.org/wiki/Main_Page

Re:Hah

[PNutts]

Is that what they're calling locking down a device these days?

No, that is what we call removing arbitrary privileged code execution vulnerabilities in web browsers.

Definitely. It's the same thing Google did with Android in 2008. They patched an exploit that was also used to jailbreak phones.

[citation needed]

[tepples]

This is the internet... we normally don't require MLA citations for things that are more or less common sense.

But if something is contested, it'd be nice to have a URL or at least proper Google keywords to research the issue. Hence the "citation needed" meme that started at Wikipedia.

Instead of an iPod touch

[tepples]

I didn't buy an iPhone. But what should I buy instead of an iPod touch? Samsung Galaxy Player didn't appear available last time I looked, and Archos devices don't have Android Market.

Re:Instead of an iPod touch

Archos devices don't have Android Market.

Pirate the market then. Just go to the Archos forums and you'll find tons of people telling you how to add the Market to your Archos device.

Or just pirate the apps. It works just as well, between APKTor and torrents. Hell, perhaps we'll see a return of the daily "new paid apps" torrents that used to occur.

A bit harder to get free apps, but you can always do both, and install ad blockers and crap as well.

It's the big advantage of Android after all - leave the app-paying chumps to iOS and the few that don't know about anything else other than paying for apps via the Market.

Apple did not push fix to break jailbreaking

[SuperKendall]

In two separate stories now, it has been put forth that Apple pushed out this fix with the mustache-twirling intent to stop jailbreaking.

Well obviously not, since the problem that lets tethered jailbreaking work is without issue. The REAL reason Apple "broke" untethered jailbreaking is that it was a gaping flaw in PDF handling that would let an attacker gain control of the system.

I realize Slashdot has a more general readership these days but surely anyone can see that leaving an exploit like that unlatched is bad. In fact other companies have been chastised for leaving holes like that open for too long, and rightfully so...

So please let us drop the pretense that every security patch is Apple out to stop jailbreaking. Apple in fact does not really care if you jailbreak, and is using it covertly to see what new features might be good to add to the platform by viewing the experimental jailbreak community... sometimes not so covertly as the case of them hiring the guy who did jailbroken notification handling to fix notification handling in iOS5! I can't think of a clearer signal that jailbreaking has at least covert approval within Apple.

Re:Apple did not push fix to break jailbreaking

[Strangelover]

I agree. Considering how easy it is to jailbreak ios devices and the original Apple TV, it seems obvious that that Apple puts little effort into blocking hacks that require physical access to the device. Obviously, with the film and music industry on board, they can't make an open device. But with this "cat and mouse" game, the mouse will never win, and any attempt the cat makes to win (completely lock down the device) is doomed to fail. Look at xbox, ps3 and WII. It's better to be the cat in a cat-and-mouse game than the hangman in a hangman game.

Re:Apple did not push fix to break jailbreaking

[drinkypoo]

It's better to be the cat in a cat-and-mouse game than the hangman in a hangman game.

Seems to me like that depends largely upon your point of view...

Re:Apple did not push fix to break jailbreaking

The sad part is, to have full control of your OWN device requires security holes to exist and be exploited. The same exploits can be used for malicious purposes obviously. This drives a strong effort to locate and exploit these holes (A good thing from a security perspective), and a wise move on Apple's part because if they keep patching, people will keep finding their vulnerabilities and strengthening their OS free of charge.

Re:Apple did not push fix to break jailbreaking

[SuperKendall]

This drives a strong effort to locate and exploit these holes

But as others have noted Apple is not really pushing hard to fix security holes that require local access. this strikes a good balance between keeping the platform effectively open, while still fairly secure.

I chortled a little

[Karl+Cocknozzle]

When I saw that the IOS 4.3.4 Un-jailbreakable! story was still on the front page when this came out. And remains there as of this writing.

Re:Hah

[shutdown+-p+now]

The security hole was real, and could be used to run arbitrary code on your phone, not necessarily to give you control over it.

You need to keep up.

Slashdot used to be run by technical editors

Slashdot has been run by the Promote Australia At Every Turn dept. for quite some time.