07 Jul 2011
A new "jailbreak" service for the Apple iOS, designed to circumvent current limits on uses of the iPad, iPhone and iPod Touch, has revealed a vulnerability in the operating system.
Jailbreak Me 3.0 was released earlier this week by a hacker known only as Comex, who has since been providing technical support for the tool via his Twitter feed.
It evades the security built into the iOS by exploiting a zero-day (in other words, previously undiscovered) flaw in the way Apple's Mobile Safari Web browser loads PDF files.
This flaw enabled Comex to penetrate two previously undefeated iOS security features: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).
Paul Roberts, security evangelist at security firm Kaspersky Lab, explained how they work on his blog:
"ASLR randomizes the location of key components in the memory address space used by active processes. That makes it much harder for attackers to locate elements such as the executable, libraries, memory stacks and heaps that are necessary to run malicious code.
"DEP prevents unauthorized code from running – for example, by blocking buffer overflows that are used to load and execute attack code."
The security flaw exposed by Comex could also be used by hackers to spread malware, or attempt to steal the data held within Apple's mobile devices.
Since Apple does not allow external security vendors to make their software available for Apple devices, the vulnerability will remain until Apple releases an official patch.
Comex himself has released his own unofficial patch, which closes the security hole. The patch can be downloaded once a device has been jailbroken.
This leaves the iOS in the embarrassing position of being safer cracked than it is out-of-the-box.
Graham Cluley, senior technology consultant at security firm Sophos, explained the dangers.
"Cyber criminals are able to create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user's permission. Apple will be furious that this vulnerability has been made public in this way."
Speaking exclusively to Computing recently, Kaspersky's CTO Nikolay Grebennikov stated that Apple's approach to security was over-reliant on its own expertise.
"Apple is the only protector of its iPhone and iPad users but they don't know the real situation with threats," said Grebennikov.
"It's not possible to create the products they create, and be a world leader in security too; that expertise is elsewhere.
"To remain competitive it should be looking to open up its platform within a year."
Apple were unable to comment at the time of writing.
No disrespect to iphone 4 users, but the iphone 4 is really over rated. I have seen a comparison of the C7 vs the Iphone 4. Nokia C7 is much better. Especially with Anna and better still Belle. I would have bought an apple if all my friends didn't have to use a silly rubber thing and worst still is the screen. How vulnerable to scratches. All iphone4's I see have the cellophane or sellotape on the front screen to stop the glass from being scratched. And the GPRS/EDGE is only class 10 and the bluetooth is just 2.0. And I'm not amazingly impressed with the TFT screen especially when compared to the rich saturation and brighter AMOLED screens. And the iphone 4 does not support HD Voice calling. I so much prefer the Nokia C7 with realtime widgets instead of looking at a bunch of icons as a home screen and use energy to go through every app and back. One glance or swipe is enough to see e-mail, news, weather, time, date, music, status, RSS feeds, etc, etc. And still have enough battery power without energy and time comsuming searches through various apps. Unless I really have to. I have dumped the Iphone 4 and gone for a better designed phone for the future with firmware updates to be rolled out soon and gorilla glass screen. Honestly when you weigh up the Iphone 4 and the Nokia C7 and Especially the X7! One may think twice about how really over rated the Iphone 4 has been. www.phonegg.com has a great comparison and they favour the C7 against the Iphone 4. In my country the C7 is selling like hot cakes! Infact they are hard to find in the shops due to popularity and the women especially prefer the sleek shape and simplicity and no bull crap ease of use. I can see why I'm seeing more brand new C7's in peoples hand's nowadays. It trully is a much better phone. 8MP full 720p filming. Very humble indeed. Just wait until Nokia reveals the X10 - Quad core - 2GHz 2GB RAM 2GB ROM - 15MP full 1040p dragontrail glass, An absolute monster of a phone. This is a Kings phone. GPU very very powerful.
Posted by: Matt 07 Jul 2011
Have your say on this article
Newsletters
Latest stories from Hacking
You may also like
Hacking jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
