There have been reports (and here) of iOS 5.1 containing a camera bypass tied to the new camera shortcut on the lock screen. The people who have reported this are sadly confused about the security timeout enforced by iOS’s Require Passcode setting (Settings > General > Passcode Lock > Require Passcode). If your Require Passcode setting is set to anything other than Immediately, then your device (and the camera roll from the camera shortcut) will be accessible for the entire duration of time specified (ie. 1 minute or 5 minutes).
As always, the best setting for Require Passcode is Immediately. That way you know that when you lock your device, it is actually locked, and will prevent someone from gaining access to it without the passcode within the minutes following the ‘lock’.
Sadly people seem all too eager to rush and report on iOS vulns before actually verifying them.
TDLR; There is no lock screen bypass in iOS 5.1 using the new camera shortcut. They were wrong.
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
Before making the switch from MobileMe to iCloud last week, I was looking around for posts about iCloud’s new webmail and didn’t find any. As I’d just installed the iOS 5 GM on my iPhone, I was eager to get iCloud going as well to get a head start, but wanted to investigate the iCloud services first. I didn’t find any useful posts, but made the switch anyway. Seeing as iCloud will be free to all users now, I thought I’d give you a heads up into what you can expect!
The Defence in Depth blog has a post about a flaw in Lion’s redesigned authentication mechanisms and Directory Services. In short, it is possible to change the password of the currently logged in user by simply running the following command in the terminal, and it won’t ask you for the user’s current password:
$ dscl localhost -passwd /Search/Users/<username>
In Lion it is also easy to dump a user’s SHA-512 password hash using the following command:
$ dscl localhost -read /Search/Users/<username>
Then look for the dsAttrTypeNative:ShadowHashData chunk in the output (sample below). The hex string in red is the salt, and the green is the hash.
62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 74911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060
Cracking password hashes can be done using his custom Python script, or John the Ripper (with the Jumbo patch). Note that even if someone manages to obtain your password hash, if you’re using a strong password it will be extremely difficult for them to recover it. Seems like both of these are important but fairly low-risk flaws introduced into Lion. Hopefully Apple will look into these for the next update.
[Update 1] While waiting for an Apple-supplied security update, it is possible to protect yourself from this vulnerability by adjusting the permissions on dscl:
sudo chmod go-x /usr/bin/dscl
This makes it so that only root can execute dscl. To revert this simply run:
sudo chmod go+x /usr/bin/dscl
[Update 2] This vulnerability was patched in Mac OS X 10.7.2.
The two latest iOS updates are fairly significant in that they patch two critical vulnerabilities. iOS update 4.3.4 patched a number of bugs including comex’s PDF/FreeType vulnerability used to create the latest JailbreakMe exploit. If you’re a jailbreaker, it’s essential that you run comex’s ‘PDF Patcher 2′ within Cydia, in order to patch the underlying vulnerability. iOS update 4.3.5 released a couple days ago, patches a fairly significant bug in the way iOS validates SSL/TLS certificates. This vulnerability can allow an attacker to intercept and/or modify data protected within an SSL session without the user knowing it. This was possible to due the fact that iOS didn’t validate the basicContstrains parameter of SSL certificates in the chain.
If you’re only an occasional patcher – now is the time.
What iOS 5 feature are you most looking forward to?
- iMessage (31%)
- Notification Center (23%)
- iCloud Integration (21%)
- Wifi Sync and Backup (19%)
- Twitter Integration (4%)
- Location-based Reminders (2%)
If your preferred option isn’t available, I’d be interested to hear what it is in the comments!
Apple has released an update to their free Find My iPhone offering, which greatly improves the support for tracking devices that are offline at the time. Note that this doesn’t mean you can track an iPhone or iPad that is turned off, or out of signal range (not possible). Instead, if a device is offline when you try to locate it, Apple will later send you an email with its location the next time that device gets back online. Thanks to this, it’s no longer necessary to constantly be checking the Find My iPhone app/webpage. Here is Apple’s summary of the changes:
- When you are unable to locate a device because it is offline, you will receive an email if the device comes online and is located.
- Ability to remove an offline device from the list using the app.
Note, it appears this updated feature is only available using the Find My iPhone app (version 1.2) available in the App Store – it is not yet available in the MobileMe web interface. I assume it won’t be updated until the new iCloud Find My iPhone web interface is launched. [Update: I was right.]
For more information on how to use this great free service to recover your iOS devices, check out Protecting and Recovering Your iPhone and iPad from Loss and Theft.
Apple has released Security Update 2011-003 for Mac OS X 10.6 which updates the system’s built in ‘File Quarantine’ (aka. XProtect) mechanism to detect and remove OSX.MacDefender.A. More significantly, however, Apple has now enabled the ability for File Quarantine to receive daily updates to to its malware definition list, essentially giving Mac OS X a very simplistic built-in anti-virus. Now it’s just up to Apple to actually update the malware definitions list on a regular basis.
In System Preferences > Security > General, users can choose whether or not they want to “Automatically update safe downloads list”. I’m not sure “safe downloads list” is the best name for it however, as it doesn’t really help users understand what its purpose is. I highly recommend keeping this option checked. Note that the screenshot below is not a recommendation of what your preferences should look like, it’s merely highlighting the new option. For more into about configuring your Security settings check out Securing Leopard: Security, FileVault and Firewall (to be updated with this new setting shortly).
[Updated 01/06/2011] As I wholly expected, a new variant of MACDefender is already out in the wild that does not get detected by OSX’s File Quarantine. As File Quarantine is simply a blacklist of known malware, it does not have the ability to pick up on malware it doesn’t recognise. This will be a good test to see how quickly Apple responds and updates the File Quarantine definitions. If you installed the 2011-003 security update then your system is already set to check for new updates every 24 hours. Browse safe out there.
[Updated 02/06/2011] Apple has already updated the File Quarantine definitions for the latest MACDefender variant (OSX.MacDefender.C). Pretty good response time by Apple!