Charlie Miller Discovers iOS Code-Signing Bypass Vulnerability
Security researcher Charlie Miller (@0xcharlie) has discovered a significant flaw in iOS which may allow a malicious app on the App Store to download and execute arbitrary unsigned code. What this means for iPhone, iPad and iPod Touch users is that installing a malicious app may allow an attacker to obtain shell access to your device, and download contacts or images.
Apple reviews every app submitted to the App Store, which has meant that iOS users have not had to worry about outright malware. Since this vulnerability allows the apps to fetch code remotely, they can perform actions not reviewed by the App Store staff. Charlie had submitted a proof-of-concept app that was approved (see video below), but has since been removed by Apple.
The reason this vulnerability works is based around some changes Apple made in iOS 4.3 last year, which allowed Mobile Safari to run javascript at a more privileged level on the devices. This change required Apple to make an exception for Safari to execute unsigned code in a particular area of memory. Charlie Miller’s bug is allegedly a very unique case that allows any app to take advantage of this, and hence run their own unsigned code.
Charlie will be presenting the vulnerability in detail at the SysCan conference in Taiwan next week. Apple has already released a developer beta of iOS 5.0.1 which patches the recent iPad Smart Cover lock screen bypass, but I would not be at all surprised if they release another beta which includes a fix for this bug. Until then, be careful to only install apps from developers you trust.
[Update] Apple has kicked Charlie out of the Developer program. At first I felt that this was an extremely bad reaction on Apple’s part. That said, Apple is probably most upset that Charlie’s proof-of-concept app could have been installed by legitimate users. Regardless of Charlie’s intentions, this could constitute malware, and he should have removed the app as soon as he saw the flaw existed. The posting of his video above probably didn’t help matters either.
Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
Extracting and Cracking Mac OS X Lion Password Hashes [Updated]
The Defence in Depth blog has a post about a flaw in Lion’s redesigned authentication mechanisms and Directory Services. In short, it is possible to change the password of the currently logged in user by simply running the following command in the terminal, and it won’t ask you for the user’s current password:
$ dscl localhost -passwd /Search/Users/<username>
In Lion it is also easy to dump a user’s SHA-512 password hash using the following command:
$ dscl localhost -read /Search/Users/<username>
Then look for the dsAttrTypeNative:ShadowHashData chunk in the output (sample below). The hex string in red is the salt, and the green is the hash.
62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 74911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060
Cracking password hashes can be done using his custom Python script, or John the Ripper (with the Jumbo patch). Note that even if someone manages to obtain your password hash, if you’re using a strong password it will be extremely difficult for them to recover it. Seems like both of these are important but fairly low-risk flaws introduced into Lion. Hopefully Apple will look into these for the next update.
[Update 1] While waiting for an Apple-supplied security update, it is possible to protect yourself from this vulnerability by adjusting the permissions on dscl:
sudo chmod go-x /usr/bin/dscl
This makes it so that only root can execute dscl. To revert this simply run:
sudo chmod go+x /usr/bin/dscl
[Update 2] This vulnerability was patched in Mac OS X 10.7.2.
Security Update 2011-005 Fixes DigiNotar SSL Vulnerability
Apple has finally issued Security Update 2011-005 to address the recent issues around compromised Dutch certificate authority DigiNotar. It was discovered that at least 531 fraudulent SSL certificates were issued by DigiNotar, leading to their root certificate being revoked in all major operating systems and browsers over the past two weeks. A man-in-the-middle attacker in possession of one of these certs (eg. Google, Skype), would be able to intercept SSL-encrypted traffic to those sites. It is believed that the use of these fraudulent certs may have been limited to the Iranian government.
This patch removes the DigiNotar CA from the trusted root certificates in the Mac OS X keychain (which is also used by Safari) for Lion and Snow Leopard. Unfortunately no patch has been issued for Leopard (10.5) users, leaving them at a heightened risk from these bad certificates. It is recommended that Leopard users delete the DigiNotar CA certificate from the Keychain using the following steps:
- Open Keychain Access (/Applications/Utilities/Keychain Access)
- Click on the System Roots keychain in the top-left hand panel
- Click on Certificates in the bottom-left hand panel
- Type DigiNotar into the search field in the top right.
- Right-click on the DigiNotar Root CA, and select Delete.
# sudo /usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain
Firefox users should update to the latest version of Firefox. Here is the full Apple description for this update:
Security Update 2011-005
- Certificate Trust Policy Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information
Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.
Steve Jobs Resigns as Apple CEO, Tim Cook Named as Successor
Today is a sad day. Steve Jobs, the man who founded Apple and single-handedly turned the company back around and redefined the music and mobile computing industry, has announced his resignation as CEO. Steve has been an inspiration to me for as long as I can remember, and his vision and attention to detail has defined a generation and brought us products that are, without a doubt, insanely great. Unfortunately Steve has struggled with health issues over the past few years, and I wish him all the best. I’m very happy to see him continue as part of Apple as Chairman of the Board. Here is Steve’s press release:
PRESS RELEASE: Letter from Steve Jobs
August 24, 2011–To the Apple Board of Directors and the Apple Community:
I have always said if there ever came a day when I could no longer meet my duties and expectations as Apple’s CEO, I would be the first to let you know. Unfortunately, that day has come.
I hereby resign as CEO of Apple. I would like to serve, if the Board sees fit, as Chairman of the Board, director and Apple employee.
As far as my successor goes, I strongly recommend that we execute our succession plan and name Tim Cook as CEO of Apple.
I believe Apple’s brightest and most innovative days are ahead of it. And I look forward to watching and contributing to its success in a new role.
I have made some of the best friends of my life at Apple, and I thank you all for the many years of being able to work alongside you.
As far as Apple goes, well, it’s always difficult to know what the company will do, but it’s safe to say that they’re in the most stable and dominant position they’ve ever been. Although Steve was the visionary, he’s had a rock solid team of executives working with him, and I’m sure that his succession plan was developed to leave Apple in the best possible situation. Apple has already announced Tim Cook as his successor, and Steve being elected to Chairman of the Board. In my opinion Tim will be a solid CEO, and proved to be extremely capable during Steve’s previous absence; I just hope he also shares some of Steve’s creative vision.
Apple stocks crashed nearly 5% in after-hours trading, which is to be expected. As the world has been aware of Steve’s medical condition for a while now, his resignation did not come as too much of a shock, otherwise the drop would’ve been far more significant. Apple has strong fundamentals, and an excellent performance capped off by a massive cash store. If the stock does drop, it will be very short lived as investors realise that the company is as solid as ever. Not to mention that Apple’s roadmap is more or less fixed for the next two years anyway.
Again, Steve I wish you all the best, get well soon, and welcome to Tim as the new leader of what will continue to be a source of innovation for years to come! I look forward to reading Steve’s official biography. Hit the jump for Apple’s full press release.
Steve Jobs Presents New Apple Campus to Cupertino Council [Updated]
Just a day after his keynote at the World Wide Developer Conference, Steve was giving a different kind of presentation… to the Cupertino Council.
Five years ago Apple purchased a large chunk of land from HP, and have been planning on building a new campus to house 12,000 employees. As Steve explained (and this guy can sell anything), the new campus will feature a beautiful circular building, to be set in a massive landscaped park. The picture below shows how close it’ll be to Apple’s headquarters at 1 Infinite Loop, and a mock-up of what it will look like from space (likely the setting of Apple’s new campus in 2098).
The campus will even feature its own natural gas power station, because it seems like Steve doesn’t trust the electricity company. The entire project is pegged for completion by 2015.
[Updated 9/06/2011] Steve has made his coucil presentation slides available (PDF). Details have emerged that the architect will probably be Norman Foster.
Hit the jump for a video of Steve’s pitch to the council. Read more
Poll: What iOS 5 feature are you most looking forward to?
iOS 5 will be a major update to Apple’s portable OS, to be released in the Fall of 2011. It’s got a whole bunch of new features, which one are you interested in?
What iOS 5 feature are you most looking forward to?
- iMessage (31%)
- Notification Center (23%)
- iCloud Integration (21%)
- Wifi Sync and Backup (19%)
- Twitter Integration (4%)
- Location-based Reminders (2%)

If your preferred option isn’t available, I’d be interested to hear what it is in the comments!
iCloud: Will Rebranded MobileMe Service Finally Bring Improved Services? (WWDC 2011)
[Update 10/10/2011] Here’s a summary of the new iCloud webmail, contacts, calendar and Find My iPhone.
Ok, so let me put this out there. MobileMe has been kinda broken for some time now (it’s ok Steve knows it). Yes, you can upload stuff to the gallery from iPhoto and your iPhone, and yes you can keep your contacts and calendars in sync across your devices, and you can also track your iPhone/iPad. But all-in-all, as an application it has been nowhere near the quality that you would expect from Apple for a $99 (!) yearly subscription… I would know… I’m a subscriber. I subscribe primarily because I’ve had my mac.com email account since back when it was free, and out of all the webapps, it’s the MobileMe webmail that makes me rage the most. While others like Gmail have ugly interfaces that work, MobileMe has a slick interface that works… about half the time (and the search functionality works when it feels like it).
And yet again I find myself hoping that iCloud will be a rebrand/rework of MobileMe that brings some actual value… hopefully free/cheap.
— Security Generation (@securitygen) May 10, 2011
I’ve been screaming for Apple to sit down and get MobileMe right – maybe they listened to me? Doubt it. This picture shows the new iCloud icon (spotted at the Moscone Center where the WWDC will take place), next to the current MobileMe icon. They’re pretty much identical, with Apple going back to its pro-style brushed-metal look. I’ve been speculating that MobileMe’s cloud-based motifs have been hinting at more developed features, and with the confirmed purchase of icloud.com by Apple, it became pretty clear it may actually happen.
It’s already well known that iCloud will be centered around an online music service, which would give subscribers access to their music from anywhere. How the existing MobileMe features fit in has yet to be determined. There are rumours iCloud will cost $25/year for the core music subscription. For one, I’m praying that Apple will decouple the email service from the rest of the subscription. There are also rumours that an iCloud subscription will be included with purchases of Lion, and this is highly plausible. With Apple pegged to have iAds running on iCloud services, they could stand to reap some significant advertising profits. I also hope they get their security right. A service of this magnitude has so many potential entry points. Time will tell.
The Worldwide Developer Conference is by far the most interesting of Apple’s yearly events, and I suspect Steve has a rabbit or two up his stone-washed jeans.
[Update] The answer to the title of this post is, hopefully, yes! Check out my post about the WWDC 2011 news. While I haven’t yet seen the finished products in the iCloud offering, I’m fairly confident that Steve would not allow a repeat of MobileMe. Seems like Apple did listen to me in the end, and MobileMe services will become free as part of iCloud! ;)
[Update 2] Here’s a summary of the new iCloud webmail, contacts, calendar and Find My iPhone.
The State of Mac Malware
There’s been a lot of buzz recently about the sudden increase in Mac-specific malware cropping up so far this year. First people raved about the fairly tame and unthreatening BlackHole RAT trojan, then Mac users had to watch out for a slightly more crafty but avoidable MACDefender trojan, and now there’s news of a more advanced malware kit (Weyland-Yutani Bot) that has the ability to steal data entered into Firefox (Safari and Chrome currently unaffected, but expected to follow soon). AppleCare has reportedly been receiving a significant number of calls about the MACDefender trojan, and has issued a support document on how to deal with it.
Clearly some change is in the air, but exactly how does it affect normal Mac users? I for one actively look for Mac-based malware (eg. MACDefender), and have never stumbled across it by accident. Maybe I need to surf on the ‘dark side’ of the web more often. I just wanted to give my take on recent events and the state of Mac malware, and why I don’t think there’s any reason to be too worried just yet.