Apple expected to release iOS 4.3.1 'soon' to patch Safari vulnerability
On the heels of the release of iOS 4.3, Apple is expected to introduce an incremental update for its mobile devices, including the new iPad 2, to patch a newly discovered security hole in the Safari Web browser.
A vulnerability for the iOS mobile operating system was exposed this week at the Pwn2Own hacking contest by researcher Charlie Miller. As first reported by Redmond Pie, Miller noted on Twitter that he won the iPhone-specific portion of the event with his hack, but also communicated with Apple to share the exploit he used.
"Apple already has the vulnerability information and will patch soon," Miller wrote.
The exploit reportedly takes advantage of a hole in the iOS to bypass Address Space Layout Randomization. ASLR is a new security feature introduced by Apple in iOS 4.3.
The rules of the contest required that Miller and his hacking partner, colleague Dion Blazakis, not release the vulnerability to the public, where a malicious hacker could take advantage of it. Instead, the information has only been shared with Apple.
Miller is a renowned hacker and security expert who has also won the CanSecWest Pwn2Own security conference in the past. In 2009, he discovered a hack that could be sent via text message and would allow a hacker to take remote control of an iPhone. The issue was patched by Apple.
iOS 4.3 was released by Apple on Wednesday, and it will come preinstalled on new iPad 2 units sold starting today. One of its biggest improvements came in the Safari browser, with JavaScript rendering speeds twice as fast as in iOS 4.2, thanks to the Nitro engine ported from Mac OS X.
A vulnerability for the iOS mobile operating system was exposed this week at the Pwn2Own hacking contest by researcher Charlie Miller. As first reported by Redmond Pie, Miller noted on Twitter that he won the iPhone-specific portion of the event with his hack, but also communicated with Apple to share the exploit he used.
"Apple already has the vulnerability information and will patch soon," Miller wrote.
The exploit reportedly takes advantage of a hole in the iOS to bypass Address Space Layout Randomization. ASLR is a new security feature introduced by Apple in iOS 4.3.
The rules of the contest required that Miller and his hacking partner, colleague Dion Blazakis, not release the vulnerability to the public, where a malicious hacker could take advantage of it. Instead, the information has only been shared with Apple.
Miller is a renowned hacker and security expert who has also won the CanSecWest Pwn2Own security conference in the past. In 2009, he discovered a hack that could be sent via text message and would allow a hacker to take remote control of an iPhone. The issue was patched by Apple.
iOS 4.3 was released by Apple on Wednesday, and it will come preinstalled on new iPad 2 units sold starting today. One of its biggest improvements came in the Safari browser, with JavaScript rendering speeds twice as fast as in iOS 4.2, thanks to the Nitro engine ported from Mac OS X.
Comments
So basically, a whole 500 mb update for one flaw.
Yea, that's what I'm thinking too.
I'm not a software expert, so maybe someone can enlighten me. Why is it that OS X can download a 10 MB, 100 MB, etc. patch, but iOS and iOS apps need to completely re-download?
So basically, a whole 500 mb update for one flaw.
No. There will be more than just that. The Safari they updated to is nowhere near the current WebKit Nightly.
No. There will be more than just that. The Safari they updated to is nowhere near the current WebKit Nightly.
Aren't they working with WebKit2 now? I haven't done the nightly downloads in a while, so I'm sort of out of the loop. Seems to me that Apple could do more, yet isn't. Who is that NSA guy anyway? Has he actually started work?
So he didn't bypass ASLR.
Source
Aren't they working with WebKit2 now? I haven't done the nightly downloads in a while, so I'm sort of out of the loop. Seems to me that Apple could do more, yet isn't. Who is that NSA guy anyway? Has he actually started work?
WebKit Nightly isn't WebKit2 enabled. You still have to build that along with WebGL and other features. A ton of work has gone into WebKit 2 as it's nearing a point of release as the replacement to WebKit.
Latest WebKit Nightly is build r80833.
WebKit2 is enabled in OS X 10.7 Lion developer previews.
I'm betting on them calling it Safari 6 for OS X and probably Safari 6 Mobile for iOS 5.
They better have WebKit2 enabled in Leopard and Snow Leopard as there is no reason for them not to do so. None of the technologies are Lion specific.
They better have WebKit2 enabled in Leopard and Snow Leopard as there is no reason for them not to do so. None of the technologies are Lion specific.
Couldn't the same thing be said about 64-bit Safari in Snow Leopard which could have probably made it to Leopard or even Tiger?
The phone Charlie Miller hacked was running 4.2.1 he stated ?If you update your iPhone today, the MobileSafari vulnerability is still there, but the exploit won?t work. I?d have to bypass DEP and ASLR for this exploit to work?.
So he didn't bypass ASLR.
Source
Good to know. By the time someone figures outhow to bypass ASLR this vulnerability will likely be patched.
The phone Charlie Miller hacked was running 4.2.1 he stated ?If you update your iPhone today, the MobileSafari vulnerability is still there, but the exploit won?t work. I?d have to bypass DEP and ASLR for this exploit to work?.
So he didn't bypass ASLR.
Source
Not so good for Verizon customers who are still stuck on 4.2.6 at the moment and do not have ASLR. Although, until mobilesubstrate works for jailbroken phones on 4.3, I may not want to upgrade anyway.
Not so good for Verizon customers who are still stuck on 4.2.6 at the moment and do not have ASLR. Although, until mobilesubstrate works for jailbroken phones on 4.3, I may not want to upgrade anyway.
Isn't ASLR what's holding mobilesubstrate up? Which means mobilesubstrate compatibility will be achieved at the same time everyone's vulnerable again because ASLR has been cracked.
Isn't ASLR what's holding mobilesubstrate up? Which means mobilesubstrate compatibility will be achieved at the same time everyone's vulnerable again because ASLR has been cracked.
Apart from ASLR not being cracked that is, if you'd like to refer to my earlier post.
And all iPhone 3G users are from now on using unpatched systems. And the iPhone 3G was sold in US until last summer. I think Apple should really supply security patches for at least a year for its products. An iPhone 3G bought last May is still under the one-year warranty but no longer receives security patches.
If there is a security patch required for it, then it will receive one, there will be an incremental update to the current operating system provided for that device, this is standard apple practice. There was an upgrade to 10.5 after 10.6 was launched in order to do just this.
Hmm, do I smell another tethered jailbreak for iOS 4.3?
iOS 4.3 is already broken, untethered
No. There will be more than just that. The Safari they updated to is nowhere near the current WebKit Nightly.
They can't patch the phone without patching the firmware, that way, if you ever have to reset it, the update sticks. You also can't edit a read only file system.
Why don't Apple make this guy an offer he cannot refuse and make him an Apple employee continually checking the security,..?
Apple has already very good security experts, like Ivan Krstic. Miller isn't necessary, remember IOS 4.3 isn't cracked. Being a good hacker isn't the same as being a good designer of secure systems.
Note that the hacks of Miller don't lead to viruses. The exploits are prepared several months before the contest and probably based on known bugs in the open source parts of the code (say WebKit).
The fact that IOS devices are updated on a regular basis and the difficult and time consuming process of finding exploitable bugs keeps IOS (and Mac OS X) virus free.
It's the open source community and Apple experts that keep it this way, this is very different for Windows with only 'closed' code.
Sloppy report of Appleinsider by the way.
J.
Yea, that's what I'm thinking too.
I'm not a software expert, so maybe someone can enlighten me. Why is it that OS X can download a 10 MB, 100 MB, etc. patch, but iOS and iOS apps need to completely re-download?
If I remember rightly (not in a place with ubiquitous wi-fi atm) the iPhone's storage is divided in two - one mounted at the root of the file system and the 8 gb / 16 gb whatever mounted under a folder for your apps and music. When it's time to update the phone, basically the phone gets put into recovery mode and the new firmware image is written to OS storage. When the phone reboots, it's then running the new firmware. This offers a higher degree of reliability (which is a good thing - don't want the upgrade to brick your phone) but the penalty is that you have download a large binary file every time you upgrade.