Software Fix for iOS PDF-Handling Vulnerability Awaiting Release

[KnightWRX]

Seriously people, why are we even discussing jailbreaking at this point ? This is not what this is about. Me and many others don't give a flying hoot about jailbreaking and we want this fix. This is a very serious flaw and it needs patching quick. A website should not be able to overwrite core parts of the OS and break the security in place.

Anyone at this point who is worried about their jailbreak is (and this is a fact, not an insult) dumb as a brick. You do not understand what is really going on here, and should really educate yourself.

We have a gapping remote root vulnerability that now has exploit code in the wild. This is the kind of thing that led to stuff like Code Red, Nimda and Blaster on Windows. Apple is doing the right thing here, no matter what the result is for the jailbreak community. Put your holy crusade against Apple and their jailbreaking stance aside for a minute and think of the consequences of this.

And if you think you're safe because you've jailbroken, you're wrong. The same vulnerabilities are on your phone. You can still get owned remotely because of this if you don't patch. Sure, Cydia offers an app that asks for confirmation each time you open a PDF, but what are the chances you'll just click YES everytime ?

 

[marksman]

That sounds righteous but with that thinking, you're just as good, or bad, as the people you're accusing of wrong doing.

Apparently you were unable to muster up that thinking eh?

 

[KJ500]

I don't see the massive need for a jailbreak anymore. Skype calls over 3g, multitasking is here, cut and paste, spell check, wallpapers. I enjoy not having to worry if there will be issues or something going wrong due to jailbreaking. I must say it was a must living in Australia and having the 1st gen iphone back in 2007 but once the 3G came along with the app store it became less and less.

Agreed. I jailbroke my 3g phone a few days ago just for the halibut and to see what the big deal was. It was easy and there have been no problems at all but many of the Cydia apps are worthless (even more so than the ones in the Apple store if you can believe it.)

Unless you want to go with a different carrier the features in iOS 4 make jailbreaking kinda pointless.

 

[barkomatic]

Today I unlocked my phone for shiggles. I threw my T-Mobile SIM in and here's what I got.

I think I'll stick with AT&T 3G. Thanks though.

If you stay in the U.S. unlocking really isn't necessary IMO--unless you're in a strong T-mobile reception area (do they exist?)

However, if you travel internationally its much cheaper to stick a local pre-paid sim in your iPhone and use it rather than have to pay international rape fees or simply not use your phone.

 

[pirateyarrr]

I see a lot of people saying "I don't see the point in jailbreaking...."

I have one word for you.

Tethering.

I get about 2MB/sec download on my laptop when tethered to my 3GS in a 3G area.

And no monthly charge for it. Wheeeeeee!

Thank you Cydia.

 

[KnightWRX]

I see a lot of people saying "I don't see the point in jailbreaking...."

I have one word for you.

Tethering.

You don't need to jailbreak for that, you just need a sensible carrier. I have tethering on my 3GS included in my monthly data plan.

And again, this isn't about jailbreaking, this is about a serious flaw getting a fix. Forget about jailbreaking for a second, your phone is open to attack by a remote web site.

 

[pirateyarrr]

You don't need to jailbreak for that, you just need a sensible carrier. I have tethering on my 3GS included in my monthly data plan.

Bully for you. I don't have that option without the jailbreak. Neither do the majority of iPhone users. So yes, we need to jailbreak for that.

 

[KnightWRX]

Bully for you. I don't have that option without the jailbreak. Neither do the majority of iPhone users. So yes, we need to jailbreak for that.

Last I checked, the majority of iPhone users aren't with AT&T.

And again, this isn't about jailbreaking at all. This is about a remote root vulnerability with existing exploit code. Jailbreaking is the last of our worries as owners of iPhones right now.

 

[sneezymarble]

Unless you want to go with a different carrier the features in iOS 4 make jailbreaking kinda pointless.

I don't know about that. I have no interest in going with a different carrier, but I think the following Cydia Apps/hacks make my phone better than it is without them:

1. Infinifolder (more than 12 apps in a folder)
2. SBSettings (quick toggles for things like WiFi and brightness, and access to a list of the apps that are actually running in the background)
3. Activator (allows quick access to loads of functions, like being able to turn on the LED flashlight by shaking the phone, gesture, or certain taps)
4. My3G (lets me download files from that AppStore and iTunes over the cell networks without any file size restrictions and lets me make FaceTime calls over 3G)
5. PDF Loading Warner (warns me when a website attempts to load a PDF and lets me cancel so that I can prevent malicious code from being run on my phone)

5 is a little bit of a joke. Point is, there are loads of non-pointless Cydia/Rock apps that add functionality to the iPhone, and that's without mentioning the controversial MyWi (oops, I just did). On a more serious note, even if I weren't interested in jailbreaking, I'd probably do it this go 'round just to install the PDF Loading Warner. Seriously, it's the only defense against malicious code execution.

 

[alent1234]

Agreed. I jailbroke my 3g phone a few days ago just for the halibut and to see what the big deal was. It was easy and there have been no problems at all but many of the Cydia apps are worthless (even more so than the ones in the Apple store if you can believe it.)

Unless you want to go with a different carrier the features in iOS 4 make jailbreaking kinda pointless.

same here

mywi you have to pay $10 for. same with the sms apps. if i ever have a need to tether i'll just pay the $20 to AT&T for that month and expense from my employer. and i'm not paying $10 for smilies in texts.

wifi itunes sync, don't care

the themes look like they were done by a 5 year old and get old after 20 minutes

don't really care about sbsettings either. i'm not OCD where i'm constantly playing with the phone. i'll listen to music and read something on it. most of the settings i'll change twice a day like brightness.

i'll check out the emulators and SSH apps and what else they have and will probably go back to stock once 4.1 comes out with game center.

i'll keep my son's iphone jailbroken since he likes the dora the explorer theme

 

[Eddyisgreat]

And again, this isn't about jailbreaking, this is about a serious flaw getting a fix. Forget about jailbreaking for a second, your phone is open to attack by a remote web site.

Oh brother.

Yes! Yes! Turning on your phone will make it be teh haxor target!1!1

Wait no it won't.

How likely are you to come up against a PDF from a legitimate website that has this exploit? (not astalavisa.box.sk/PDFEXPLOITiPHONETEST.pdf)

Better yet, does ANYONE have a sample of the payload in action besides the jailbreak?

I'm not saying this isn't serious, but foaming at the mouth fantasizing about exploding hacked iPhones is FUD.
//
Anywho, On some third party sites people are very skewed on the situation.
Hackers target SSH enabled phones with default passwords -> JailBroken iPhones hacked -> iPhones Hacked -> Headline: iPhone is the most unsecured phone on the planet nobody is safe.

Jailbreak uses PDF exploit -> PDFs hack iPhone -> iPhones Hacked -> Headline : iPhone is the most unsecured phone on the planet doom is inevitable.

BTW i'm 100% pro jailbreak because I know they are a talented bunch. Even if you disagree with "the movement", every time they exploit something that's another thing that Apple clearly missed and will have patched in the next revision. The time in between an exploits uncovering and it's patching may have you feeling vulnerable, but so far most (if not all?) exploits have been cooked up in the lab and POC to death-To date there haven't been any wild outbreaks that affect non-jb users.

 

[yankeex777]

Question:

Do you actually have to install 4.0 before you can use this type of jailbreak?

 

[tny]

Does coolness require such lousy spelling and grammar?

<p>
Well, you're not cool if you're over the age of nine, so ... yes, yes it does.
<p>
Seriously, this is a *BAD* hole. Jailbreaking through a *website* using a *remote* exploit like this is just isn't worth the danger that someone on a malicious website will overwrite your kernel with something that allows him to track you via GPS, take pictures remotely from your phone and upload them to his FTP site, eavesdrop on your telephone conversations or even turn on your microphone when you think the phone is off. All of these things are possible - with a remote exploit. So Apple has to jump on this immediately.

 

[JMax1]

No, you got it all wrong. He didn't say Apple was losing fans. He said Apple was "loosing" fans.

loosing fans from the giant security hole!


I wonder if they can do the upgrade exactly as the jailbreak method was - just visit a website and it can update your software, then closing the hole behind it....

 

[tny]

I'm not saying this isn't serious, but foaming at the mouth fantasizing about exploding hacked iPhones is FUD.
//
Anywho, On some third party sites people are very skewed on the situation.
Hackers target SSH enabled phones with default passwords -> JailBroken iPhones hacked -> iPhones Hacked -> Headline: iPhone is the most unsecured phone on the planet nobody is safe.

Jailbreak uses PDF exploit -> PDFs hack iPhone -> iPhones Hacked -> Headline : iPhone is the most unsecured phone on the planet doom is inevitable.

Here's an attack vector using this exploit:

Set up a free WiFi access point next door to a coffee house at a college, with your own DNS server as the default DNS server. Set up your DNS so that it points say www.amaxon.com to your own machine. On the portal page, load a tiny PDF with the payload and a window that says "I think you meant www.amazon.com" and then after a pause redirects to the Amazon site. In the payload, include a script that changes the DNS on the iPhone to always point at your own DNS. Now you can redirect certain legitimate sites to proxies that you control, repost the GET and POST requests to the legitimate sites while skimming all the data, and copy back all the responses while skimming that.

And that's easy. All it takes is knowledge of how to set DNS in iOS.

 

[interconnect]

Glad the exploit is getting fixed. Just hope Apple doesn't break the jailbreak itself. It's time for Apple to stop the fight against the JB community. With the federal ruling and the ease of the latest JB leading to so many first timers enjoying the choice of apps that the Cydia/Rock stores give them, Apple really can't ignore the fact that people want to do this with their phones. I don't have a problem with Apple not supporting JB phones, but let it be a "do at your own risk" kind of thing. Time to stop the cat and mouse game.

Jailbreaking exploits security holes, and Apple will never stop patching security holes. I think you'll be waiting a long time.

 

[Eddyisgreat]

Here's an attack vector using this exploit:

Set up a free WiFi access point next door to a coffee house at a college, with your own DNS server as the default DNS server. Set up your DNS so that it points say www.amaxon.com to your own machine. On the portal page, load a tiny PDF with the payload and a window that says "I think you meant www.amazon.com" and then after a pause redirects to the Amazon site. In the payload, include a script that changes the DNS on the iPhone to always point at your own DNS. Now you can redirect certain legitimate sites to proxies that you control, repost the GET and POST requests to the legitimate sites while skimming all the data, and copy back all the responses while skimming that.

And that's easy. All it takes is knowledge of how to set DNS in iOS.

very crafty indeed , but I can't buy it.

that's near needing local access (pwn2own anyone?). I mean, yes, the payload gets dropped, but needing to connect to your AP is far, FAR different than the *remote exploit of all remote exploits* that everyone is thinking about.

 

[Winni]

Please speak English. What you wrote was not.[/B]

This is an international forum and it's the second time in less than 24 hours that I have to read such an obnoxious statement on MacRumors.

We foreigners are at least so polite to try to communicate in a language that is not our mother tongue. There are more people speaking Spanish or Mandarin on this planet than there are English speakers. For most, English is just a second or third language, but the point is that we actually know more than just your language (or rather: dialect of a language).

Maybe you should appreciate the fact that we are doing you a favor - and not the other way around.

 

[saigrundy]

ipod mini?

do they mean nano??

 

[KnightWRX]

Oh brother.

Yes! Yes! Turning on your phone will make it be teh haxor target!1!1

Wait no it won't.

How likely are you to come up against a PDF from a legitimate website that has this exploit? (not astalavisa.box.sk/PDFEXPLOITiPHONETEST.pdf)

Better yet, does ANYONE have a sample of the payload in action besides the jailbreak?

The jailbreak is proof of concept exploit code. It could've been anything else. And seriously, if you don't think this is a serious flaw, there's nothing I can do but hope you have no link whatsoever to security at your firm.

very crafty indeed , but I can't buy it.

that's near needing local access (pwn2own anyone?). I mean, yes, the payload gets dropped, but needing to connect to your AP is far, FAR different than the *remote exploit of all remote exploits* that everyone is thinking about.

Yes, because setting up a rogue access point near starbucks is such a hard thing to do... . I'm sure no one will go "Hey, free wifi!" and get owned by this method...

We're talking mobile wireless devices that connect to dozens of networks. How many times do you scan for a wireless AP and try them out while on the move ? Tons of people do. This is a serious flaw with a proof of concept. Just need to change the payload from a jailbreak to something nastier.

 

[Winni]

I have had nothing but amazing service and support from Apple for every product I've owned. Compared to other companies, Apple is a million miles ahead.

You obviously never had the pleasure of dealing with Dell's business support unit. I wish Apple's service was even remotely as good as Dell's business support.

But I agree with what you said about Apple's products. While Apple - is - expensive, their products are really awesome.

 

[Darwing]

so, basically, no more jailbreaking this way....right?

yea that was obvious when they came out with the website to JB it and made it public. wasnt going to last long...

 

[JAT]

Apple cares about power, control, and of course money. The user experience is the least of their worries no matter what Jobs spits which is nothing more than retail rhetoric.

Exactly! Big companies aren't here to comfort you; they're here to MAKE MONEY.

Wow. In a business marketplace of you guys and me, I'd be a billionaire. Success depends on giving customers what they want, or they don't come back. Look to Microsoft. They gave IT geek/weenies exactly what they wanted (something to tinker and fix all day long, job security) and it turned into the biggest computer business ever.

 

[Eddyisgreat]

The jailbreak is proof of concept exploit code. It could've been anything else. And seriously, if you don't think this is a serious flaw, there's nothing I can do but hope you have no link whatsoever to security at your firm.

I'm not saying this isn't serious, but foaming at the mouth fantasizing about exploding hacked iPhones is FUD.

Clean your screen man....Seriously . And my firm is fine, thanks. All of my boxes are tended to with TLC.

Yes, because setting up a rogue access point near starbucks is such a hard thing to do... . I'm sure no one will go "Hey, free wifi!" and get owned by this method...

We're talking mobile wireless devices that connect to dozens of networks. How many times do you scan for a wireless AP and try them out while on the move ? Tons of people do. This is a serious flaw with a proof of concept. Just need to change the payload from a jailbreak to something nastier.

Tell you what. You show me one person who has gotten "owned" by this exploit in the wild and...
...Wait a minute. You didn't answer my question earlier. Do YOU have access to the payload? Can you link me? is there a white paper I can read? Exactly how many people have access to the exploit?

Like I said earlier, this is a serious hole BUT there have been no outbreaks in the past and as far as we know Comex et al are the only ones on the planet (besides Apple) who know whats what , so pretending that people are walking around getting hacked is just plain silly.

 

[rhett7660]

Don't see why Apple really cares . There would be a lot less iPhones to replace/repair since jail-breaking voids the warranty.

I think most people jailbreak to unlock anyways to use on other carriers besides AT&T. I bet AT&T pushes Apple to avoid that from happening.

I don't think this is so much about jailbreaking but more about someone being able to really mess with your phone by just going to a website. This puts million of users who don't even care about jailbreaking at risk. Not good at all.

You obviously never had the pleasure of dealing with Dell's business support unit. I wish Apple's service was even remotely as good as Dell's business support.

But I agree with what you said about Apple's products. While Apple - is - expensive, their products are really awesome.

I have dealt with Dell's business support and it has been hit or miss. By far the worst I have had to deal with is HP's. Since our company decided to switch to HP it has been one headache after another. We finally ended up just dropping them all together after a very short run with them.