GigaOM » Apple

If Apple can’t beat jailbreakers, it’ll recruit them

Darrell Etherington — Fri, 26 Aug 2011 12:21:59 +0000

For Comex, a 19-year-old iPhone hacker whose real name is Nicholas Allegra, jailbreaking the iPhone comes easy. He’s a member of the iPhone Dev Team, the group responsible for continually frustrating Apple’s attempts to keep iOS a closed system. Apple must be tired of all this frustration, since the company has apparently offered Allegra an internship beginning in September.

Allegra is responsible for JailbreakMe 3.0, a web-based jailbreak tool released in July and designed to be used on iPhones, iPad and iPod touches running iOS 4.3.3. Before that, he created Spirit, which was an untethered jailbreak for iOS devices running iOS 3.1.2 to 3.2, and he was also a Nintendo Wii homebrew software developer.

Allegra has been described by other iPhone hackers and Forbes as somewhat of a prodigy, and he’s been compared to some of the most advanced computer systems security experts in the world.

Apple probably thinks it’s better to have Allegra working with it rather than against it. In theory, his ability to quickly and easily locate exploits in iOS code will give Apple advance notice of problems before they arise, so that it can patch holes before software updates hit the public. In practice, it’s unlikely to stop the cat-and-mouse game of jailbreaking altogether, but kudos to Apple for trying a solution that doesn’t involve civil suits and generally draconian behavior.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

Apple working on a fix for potential iOS security threat

Darrell Etherington — Thu, 07 Jul 2011 14:57:12 +0000

Apple is already working on a fix for a security flaw reported by the German Federal Office for Information Security Wednesday. The Mac maker said in a statement that it “takes security very seriously,” and is “aware of this issue and developing a fix that will be available to customers in an upcoming software update.”

There isn’t a specific timeline for when the update will be released, but when it does arrive, it’ll also shut down the ability to jailbreak iOS devices using the most recent JailbreakMe browser-based method. The jailbreak takes advantage of the same exploit which poses a potential security threat and involves the way in which Safari and Mail manage PDF file downloads.

Apple will likely be quick with an update, considering the nature of the German IT agency’s warning. The organization called the flaw a “critical weakness,” and one which is “sufficient to infect the mobile device with malware without the user’s knowledge.” It affects users running iOS 4.3.3, and possibly older versions as well, according to the German agency.

While users await a software update to patch the hole, the best way to avoid any potential security threats is to avoid downloading PDF files from any untrusted sources, either via email or mobile Safari. As mobile web access becomes more popular, it’s generally a good idea for users to practice the same kind of safe browsing that helps avoid malicious attacks on desktop computers as well, part of which means not downloading content when its origin is at all suspect or hazy.

A similar flaw was discovered in August 2010 that also allowed for web-based jailbreak, and also caught the attention of the German government. Apple took about a week to issue an iOS update to patch the problem at that time, so it’s reasonable to expect a similar timeline for release with a 4.3.4 update.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

Sponsor post: Jailbreakers: First iPhone Worm Discovered, Features Rick Astley

Darrell Etherington — Mon, 09 Nov 2009 19:16:09 +0000

The first iPhone worm has been discovered. It comes to us via Australia, and appears to be limited to that country for now, although it has the potential to spread. It also stars Rick Astley, so to speak. The work changes the iPhone’s wallpaper to an image of the 1980s pop singer, who’s enjoyed a recent resurgence thanks to the Rick-rolling Internet phenomenon.

The worm has the ability to break into jailbroken iPhones only. Even if you’ve jailbroken, you still aren’t vulnerable unless you’ve also installed SSH, and not changed the default password after doing so. As a result, only a small fraction of the larger iPhone community is probably susceptible to the “ikee virus,” as it is called in its own source code.

Still, it shows that as the platform matures and becomes more widespread, it also becomes the target of more malicious attacks. Most hackers, like any businesspeople, are interested in the bottom line, and part of that involves targeting the largest group of people possible. With millions of users worldwide, the iPhone is definitely an appealing mark. ikee’s creator, a hacker calling himself “ikex,” cites a different explanation for this particular worm’s creation:

Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn’t anyone RTFM anymore?

In the case of this worm, which only changes the background wallpaper to the Astley photo with the slogan, “ikee is never going to give you up” across the top, Graham Cluley of SophosLabs suggests it’s really only an experiment:

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

While not dangerous in and of itself (it actually sort of provides a service by reminding users to take precautions), it could open the door for similar programs with less innocuous payloads. Hopefully, jailbreak users will learn from the experience and be prepared if someone more sinister tries to do the same thing again.

It’ll be interesting to see whether Apple latches onto this as a means to further decry the evils of jailbreak. If it leads to more serious exploits, it definitely would constitute a good reason to stay on the straight and narrow. In either case, expect to see more security concerns surrounding the iPhone as it continues its commercial success.

Remote Denial of Service For OS X (Leopard)

Bob Rudis — Wed, 27 Feb 2008 19:40:57 +0000

Given the large amount of “feedback” I receive from many venues on why I’m crazy for suggesting that OS X users employ some type of client-side security software, I wanted to point out a very recent exploit that I saw over at Joel Esler’s blog. The vulnerability is around the IPv6 networking layer of the underlying BSD operating system. Here’s the code:

ORIGINAL
md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
if (!m) {

WHAT IT SHOULD HAVE BEEN
md = m_pulldown(m, off, sizeof(*ipcomp), NULL);
if (!md) {

A one character difference in source code in an open source component trickled it’s way up to our shiny new operating system.

Anti-virus software won’t help you on this one (and I’m sure someone will point that out and continue to defend the lack of need for client security), but it provides a clear example of how coding errors in the operating system can – and will – be exploited, which is a strong enough reason to put up defenses in other areas. Again, it’s completely based on your risk appetite and there is a contingent of OS X users that swear by the notion of not investing in security until there is overt reason to. This example should prod some of those folks to start thinking more about how vulnerable their invulnerable systems really are.

The problem exists only in the IPv6 networking layer, and – since most folks do not need IPv6 enabled – you can disable IPv6 in each of the network interfaces in your Network System Preferences to give yourself a bit of protection. Here’s an example of that via the Airport configuration panel:

Apple should be fixing this in the next security update.

More info on the exploit: Secunia, InformationWeek, digit labs

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

Zero Day Exploit For QuickTime Flaw

Bob Rudis — Fri, 11 Jan 2008 11:00:48 +0000

InformationWeek is reporting that an Italian security researcher has posted a exploit for a zero-day vulnerability in QuickTime 7.3.1 that impacts both OS X and Windows versions of the software. This exploit will allow an attacker to execute malicious code on the target system.

The “researcher”, Luigi Auriemma, describes the exploit as being based on a flaw in QuickTime’s parsing of HTTP error messages and has not provided Apple with advance notice before publishing the proof-of-concept code. Symantec has confirmed that the flaw can produce a Denial of Service, but has not confirmed the remote code execution claim.

As of this post, Apple has not posted a fix to this issue, but here are some steps you can take to protect yourself (via US-CERT):

Uninstall QuickTime (OK, kinda extreme)
Block the rtsp:// protocol (given how much we love streaming media, not likely either)
Disable the RTSP protocol handler (reasonable, depending on your risk tolerance) Mac OS X users can disable the RTSP protocol handler by editing the ~/Library/Preferences/com.apple.LaunchServices.plist file with Property List Editor. Change the LSHandlerRoleAll value associated with the rtsp LSHanlderURLScheme to something other than com.apple.quicktimeplayer. This process can be simplified by using an application such as RCDefaultApp.
Disable QuickTime as the RTSP protocol handler on OS X (reasonable…you can pick RealPlayer as an alternative). To disable the RTSP registered protocol handler in OS X open ~/Library/Preferences/com.apple.LaunchServices.plist and look through ahundred or more entries to find RTSP and change it to something else.
Do not access QuickTime files from untrusted sources (duh). Attackers may host malicious QuickTime files on web sites. In order to convince users to visit their sites, those attackers often use a variety of techniques to create misleading links including URL encoding, IP address variations, long URLs, and intentional misspellings. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.