Vulnerabilities exposed in Apple iOS

Latest jailbreak service for iOS reveals vulnerability that could be used by hackers

A new "jailbreak" service for the Apple iOS, designed to circumvent current limits on uses of the iPad, iPhone and iPod Touch, has revealed a vulnerability in the operating system.

Jailbreak Me 3.0 was released earlier this week by a hacker known only as Comex, who has since been providing technical support for the tool via his Twitter feed.

It evades the security built into the iOS by exploiting a zero-day (in other words, previously undiscovered) flaw in the way Apple's Mobile Safari Web browser loads PDF files.

This flaw enabled Comex to penetrate two previously undefeated iOS security features: Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP).

Paul Roberts, security evangelist at security firm Kaspersky Lab, explained how they work on his blog:

"ASLR randomizes the location of key components in the memory address space used by active processes. That makes it much harder for attackers to locate elements such as the executable, libraries, memory stacks and heaps that are necessary to run malicious code.

"DEP prevents unauthorized code from running – for example, by blocking buffer overflows that are used to load and execute attack code."

The security flaw exposed by Comex could also be used by hackers to spread malware, or attempt to steal the data held within Apple's mobile devices.

Since Apple does not allow external security vendors to make their software available for Apple devices, the vulnerability will remain until Apple releases an official patch.

Comex himself has released his own unofficial patch, which closes the security hole. The patch can be downloaded once a device has been jailbroken.

This leaves the iOS in the embarrassing position of being safer cracked than it is out-of-the-box.

Graham Cluley, senior technology consultant at security firm Sophos, explained the dangers.

"Cyber criminals are able to create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user's permission. Apple will be furious that this vulnerability has been made public in this way."

Speaking exclusively to Computing recently, Kaspersky's CTO Nikolay Grebennikov stated that Apple's approach to security was over-reliant on its own expertise.

"Apple is the only protector of its iPhone and iPad users but they don't know the real situation with threats," said Grebennikov.

"It's not possible to create the products they create, and be a world leader in security too; that expertise is elsewhere.

"To remain competitive it should be looking to open up its platform within a year."

Apple were unable to comment at the time of writing.