Key iOS Security Updates Patch PDF and Certificate Validation Vulnerabilities (4.3.4 and 4.3.5)
The two latest iOS updates are fairly significant in that they patch two critical vulnerabilities. iOS update 4.3.4 patched a number of bugs including comex’s PDF/FreeType vulnerability used to create the latest JailbreakMe exploit. If you’re a jailbreaker, it’s essential that you run comex’s ‘PDF Patcher 2’ within Cydia, in order to patch the underlying vulnerability. iOS update 4.3.5 released a couple days ago, patches a fairly significant bug in the way iOS validates SSL/TLS certificates. This vulnerability can allow an attacker to intercept and/or modify data protected within an SSL session without the user knowing it. This was possible to due the fact that iOS didn’t validate the basicContstrains parameter of SSL certificates in the chain.
If you’re only an occasional patcher – now is the time.
Jailbreak iOS 4.3.3 with JailbreakMe 3.0
JailbreakMe.com has been updated to allow easy untethered jailbreak of your iOS devices, just follow the instructions on the site. Thanks to a new PDF exploit from comex (with the help of chpwn), it is now possible to jailbreak iPhones, iPads (including iPad 2) and iPod Touches running iOS 4.3.3 (note this doesn’t yet include any versions below that). During the jailbreak, saurik’s Cydia app store is automatically installed.
Interestingly, users with jailbroken devices can protect themselves by patching the PDF vulnerability by using ‘PDF Patcher 2’ in Cydia. Normal users will have to wait for iOS 4.3.4 from Apple. Note, however, that having a jailbroken iPhone or iPad still makes you slightly more vulnerable to other attacks, as the iOS sandbox is essentially bypassed.
Researchers Extract iPhone Data and Passwords in Minutes
A group of German security researchers from the Fraunhofer Institute for Secure Information Technology have discovered a way of extracting personal information and stored credentials from a locked iPhone, by way of a jailbreak. By gaining physical access to an iPhone (or iPad/iTouch), an attacker is able to reboot it into recovery mode, thus allowing them to upload their own jailbroken firmware onto the device. As part of this process SSH is enabled and a script can then be uploaded to the device which uses built-in system calls to extract encrypted data (including credentials in the keychain) from the device. See the video below for a demo of their attack, which can take as little as six minutes.
This attack would not be possible without existing jailbreak mechanisms, which effectively bypass the iPhone’s sandbox and allow unsigned code to be executed. The second issue is the way that iOS handles stored data and credentials, allowing any application to request the information. This is actually a prime example of the dangers of having a jailbroken iPhone or iPad, as it makes it much easier for an attacker to execute malicious code on your device.
These kinds of issues are not isolated to iOS devices, and the same would exist on other devices that could be made to run custom scripts. This will be a tricky issue for Apple to resolve, as much of its security relies on a strong sandbox. Their best chance is to try to identify and patch as many of the vulnerabilities that could be used for a jailbreak. They will also need to review the way iOS handles encrypted data, and ensure that data cannot be extracted by arbitrary applications.
Luckily there is not yet a publicly available automated tool to perform this attack, so it is unlikely that a random thief will be obtaining your data. If you’re really worried, you can use Apple’s free Find My iPhone service to remotely wipe your iOS device should it be lost or stolen. Check out my article on protecting and recovering your iPhone from loss and theft for more information.
The team’s original research paper is available here (PDF).
Adobe Reader X Brings Sandboxing with Protected Mode
Adobe recently released Adobe Reader X, the latest incarnation of their PDF viewer software. Over a year after Adobe’s promised ‘security push’ into Reader, and numerous vulnerabilities, exploits and malware, this version finally brings the hotly discussed sandboxing feature.
The sandboxing, or Protected Mode as Adobe call it, would restrict PDFs to an extremely limited running environment. Initially the sandbox will control any write operations attempted by PDFs, to try and prevent malware being written to disk. A later update is expected to bring ‘read’ control as well, to prevent information stealing.
Although this is a good step forward for Adobe Reader, it remains to be seen whether any of their changes will be effective at mitigating vulnerabilities that attempt to read/write directly from memory. It’ll be interesting to see what kinds of vulnerabilities will come out in the coming months.
Either way, Adobe Reader X brings a number of security fixes and improvements, and is thus a recommended update.
JailbreakMe and the PDF Exploit
[Update] JailbreakMe 3.0 for iOS 4.3.3 is out!
JailbreakMe.com by comex (et al.) now provides an easy way of remotely jailbreaking the iPhone, iPad and iPod – including those running iOS up to 4.0.1.
The technique works thanks to a specially-crafted PDF document which exploits a vulnerability in the font engine library (possibly libfreetype) used by Mobile Safari. Another local privilege escalation exploit (possibly in IOKit) is then used to gain root access on the device, allowing for the jailbreak to take place.
Depending on the device used to visit jailbreakme.com, the site will deliver one of its existing payloads, to perform the initial exploit. During the jailbreak it will download an additional 3.7MB bin file.
Although this may seem like a great ‘feature’ to potential jailbreakers, users should be aware that a severe underlying flaw exists which allows this remote jailbreaking to take place. Until Apple patches this, iPhone users should beware of visiting untrusted sites, as this same exploit could potentially be modified to carry out attacks on legitimate non-jailbroken iPhones.
Here’s a video of someone jailbreaking Apple Stores for fun.
[Update 4/8/10] ultrasn0w update brings iPhone 4 carrier unlock.
[Update 11/8/10] iOS 4.0.2/3.2.2 update patches these two vulnerabilities.
[Update 12/8/10] comex has released the source code for the jailbreak exploit.
Loading ...
