I expect Apple will patch this exploit fairly quickly. For those that are jailbroken, you can soon get a plugin from Cydia that will at least mitigate the chances of this same exploit being used from another website. Look for PDF Loading Warner. It doesn't patch the problem, but it at least gives you a warning before a PDF can be loaded in Safari and subsequently use the exploit. For those of us that are not jailbroken, we just have to wait.
The underpinnings of Safari and the iOS are shared with Mac OSX. Is this exploit flexible enough to grant root access on Mac OS X with Safari on Mac OS X?
Lovely.
Apple has a serious issue indeed. Here's to hoping they don't take two weeks to address it
They fixed what appears to be the same problem on the desktop in June.
Guess they didn't have time to integrate it into the iOS branch before launch. Unfortunate, because posting the details probably led to using this particular vector on iOS. Good news is that if they already have it fixed in Mac OSX, they should be able to get a fix out quickly for iOS.
Quote:
Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
Description: An unchecked index issue exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved index checking. Credit to Charlie Miller working with TippingPoint's Zero Day Initiative for reporting this issue.
I jail broke and unlocked a 3GS running 4.0. Works great. T-Mobile is working great (wasn't working at all before on this phone). My buddy has the iPhone 4. He said the face time and MMS issues have been fixed.
I am a big Apple guy, but it is BS that Apple tries to lock the phone down. I bought the hardware. People would yell bloody murder if Apple tried that BS on a Mac.
Quote:
Originally Posted by jb2017
I've JB two iPhone 4's and after the install is complete everything works fine. When you need to restart your iPhone 4 you lose two key features, FaceTime and MMS. I've heard you can do a restore to get it back but i've not been able too.. Let me know if anyone else has the same probs or has a work around
It isn't a serious issue. Most people don't go to unfamiliar websites where people would be taken advantage of.
The guy is a hero in my book. I just sent him money.
Quote:
Originally Posted by Tulkas
Are you for real? It isn't a serious issue? To again quote Gruber ?remote code exploit now in the wild?. Think about that for a second and I dare you to say again "It's not at this point a serious issue." You think only one site has this exploit active? I hope so. Cuz if other do, they probably won't be as benign as this site.
Just an update. I successfully used the Jailbreakme.com tool to jailbreak, and then ultrasn0w 0.93 to unlock, my 3GS running iOS 4.0.1 (firmware 5.13.04)...
So it works with all the latest and greatest OS/firmware. iPhone 4 version of the unlock isn't ready yet, but expected in a day or so.
I can now make calls using my local Ukrainian provider... happy day.
The only issue I've run into so far is that whenever I initiate a call I get a popup telling me "Call Forwarding Active". I have to manually dismiss that. No idea what that's about, since call forwarding is definitely set to off...
I'll write the developer about it.
Otherwise, it all worked very painlessly. I was surprised how easy it all was.
Now, to change my SSH password, and I'm good to go (I don't have any need to download 3rd party apps, so no risks there...).
It isn't a serious issue. Most people don't go to unfamiliar websites where people would be taken advantage of.
The guy is a hero in my book. I just sent him money.
I think the guy behind jailbreakme is awesome. The tool itself is great. But the mechanism behind it shows a gapping security hole.
You say most people won't visit unfamiliar pages. Maybe that is true and maybe it isn't. It doesn't get around the possibility that sites you do visit are compromised, whether internally or through cross site or injection attacks or other external methods. You may be familiar with the sites you browse to, maybe, but you have no idea of its own status.
I specifically stated: "Yes, this is a serious flaw that needs to be fixed."
It is NOT a problem that's going to affect many people at this point since you have to intentionally go to the site and intentionally tell it to jailbreak your phone. That doesn't mean it shouldn't be (or won't be) fixed. It just means that it's not hurting anyone at this point. You can be sure Apple will fix it.
It isn't a serious issue. Most people don't go to unfamiliar websites where people would be taken advantage of.
The guy is a hero in my book. I just sent him money.
Some do and some don?t. More accurately I?d say people don?t go to sites they think are malicious, but they do go to new sites they?ve never been to and it?s possible for sites to get hijacked.
As for this guy being a hero, I don?t quite see how ?hero? could be applied. With the original iPhone hack that used a hole in Safari to jailbreak the device the jailbreak also plugged the security hole as a result. Does this do the same thing or does it leave it wide open?
I specifically stated: "Yes, this is a serious flaw that needs to be fixed."
It is NOT a problem that's going to affect many people at this point since you have to intentionally go to the site and intentionally tell it to jailbreak your phone. That doesn't mean it shouldn't be (or won't be) fixed. It just means that it's not hurting anyone at this point. You can be sure Apple will fix it.
Yes, I did see the wiggle room you tried to give your self in attempting to minimize the scope of the problem here. The problem is that you look really foolish saying "Yes, this is a serious flaw that needs to be fixed" and the following that up with "It's not at this point a serious issue". So, saying it is a serious problem but not a serious problem doesn't add more to your credibility.
Unfortunately, you are wrong in the excuses you tried to use. Who gives a fuck what this particular site requires to use the exploit, in terms of the user having to initiate it. The problem is that this exploit is in the wild. The problem is that it might affect sites you trust. The problem is that it could be crafted not to require user authorization and or hide what you are actually authorizing. The problem is that if you have been using your browser over the last few days to read a PDF (or a PDF from another source) you might have been jacked...you just don't know it. In fact, it doesn't matter how many people visit this site. Could be millions. How cares? That site is not the risk.
It is a serious issue. And I am certain Apple will fix it. They already did over a month ago on Mac OS X, so they should be able to get it out very quickly for iOS.
Some do and some don?t. More accurately I?d say people don?t go to sites they think are malicious, but they do go to new sites they?ve never been to and it?s possible for sites to get hijacked.
As for this guy being a hero, I don?t quite see how ?hero? could be applied. With the original iPhone hack that used a hole in Safari to jailbreak the device the jailbreak also plugged the security hole as a result. Does this do the same thing or does it leave it wide open?
This hole probably is not as easy to properly patch without access to Apple's own PDF rendering engine.
AT&T gives you a contract. You agree to the contract. The contract does not allow tethering.
You have 2 choices:
1. Choose a different carrier (and phone).
2. Obtain an iPhone with AT&T contract under false pretenses and violate the contract.
Sorry, but #2 is completely unethical and tantamount to theft. You're taking a service you didn't pay for.
There are more than 2 choices. There are many. For example, you can travel to a country that legislates cell phone freedom and purchase an Apple-unlocked iPhone & then use a service like T-Mobile. You can pay $1200 for a new iP4 that's unlocked and sold here in the US by companies such as Celluloco and others & plop an T-Mobile SIM card into it. You can even do what I did - my 2-year contract with ATT has expired, I purchased a new iPhone off shore, JBroke it and simply put my ATT SIM card in. Since my contract has expired, I'm not violating any contracts.
There's nothing inherently wrong or immoral or unethical with jailbreaking a piece of equipment you own, it's totally legal & legit. If there's a hardware problem with your phone that warranty should cover, just do a restore before you walk back into the Apple Store. Jailbreaking will not damage your hardware whatsoever, it will simply free you from the limited market freedom being imposed by corporate goliaths that seek to maintain their control and protect their little turf.
Yes, I did see the wiggle room you tried to give your self in attempting to minimize the scope of the problem here. The problem is that you look really foolish saying "Yes, this is a serious flaw that needs to be fixed" and the following that up with "It's not at this point a serious issue". So, saying it is a serious problem but not a serious problem doesn't add more to your credibility.
Unfortunately, you are wrong in the excuses you tried to use. Who gives a fuck what this particular site requires to use the exploit, in terms of the user having to initiate it. The problem is that this exploit is in the wild. The problem is that it might affect sites you trust. The problem is that it could be crafted not to require user authorization and or hide what you are actually authorizing. The problem is that if you have been using your browser over the last few days to read a PDF (or a PDF from another source) you might have been jacked...you just don't know it. In fact, it doesn't matter how many people visit this site. Could be millions. How cares? That site is not the risk.
It is a serious issue. And I am certain Apple will fix it. They already did over a month ago on Mac OS X, so they should be able to get it out very quickly for iOS.
Well said. I may not use Apple products, but i have kinda been feeling bad for the guys just a little. When people downplay issues like this they are hurting a lot of people from getting a resolution from them. Like I pointed out in my earlier posts, this is HUGE. An exploit capable of doing what the jailbreak site can do means hackers can do anything to your phone if you go to the wrong site. You also have to worry about ads that have been hijacked on sites you believe are safe. You can guarentee right now people are working on something for malicious use. People also need to consider that this could be paired with another exploit such as a txt message that automatically opens a link or other method to auto open a site. Blackhat hackers do not report exploits they find. They sit on them until they can use them, such as when an exploit such as this one becomes available. People need apple to respond to this yesterday.
A browser based jailbreak is the best news I've heard all day. Not since 1.1.1 has it been this easy.
haha. i called a friend who works at bestbuy mac kiosk and told him he had better block this site, he didnt know what was happening, i had to clue him into dev-team. i have to admit, this one got me by surprise!
possibly a huge security flaw, but remember, all iphones come with the same root password by default (i think it's still "alpine"). i think this fact probably makes it easy (but i also thought without jailbreaking, you have no access to root at all. i'm fuzzy on the whole thing).
The "alpine" root password is a remarkable gap.
Each iPhone should have a unique root password, set at the factory, changeable
by a military-level iPhone app that requires a lengthy key to open and which the
Apple stores have access to for a connected use to the device...
Certainly not foolproof but a lot better than the current remarkable gap.
Anyone know what the other Unix-based smartphones do with respect to their root password?
One reason to use JailBreak is to finnaly have Flash on my iPhone. I can not see flash videos but I finnaly browse websites with flash menus or other flash content.
Each iPhone should have a unique root password, set at the factory, changeable
by a military-level iPhone app that requires a lengthy key to open and which the
Apple stores have access to for a connected use to the device...
Certainly not foolproof but a lot better than the current remarkable gap.
Anyone know what the other Unix-based smartphones do with respect to their root password?
I don’t think changing the root password is a resolution. It would be using an algorithm to determine these passwords. So besides adding a lot of complexity to the building of the iPhones, it’s likely to get cracked, but that doesn’t really have to happen. Jailbreakers could get by with a single build of iOS that they could enter root. The real issue is these holes in iOS that can lead to root access.
The only way I can see this working is for Apple to change the root password of each iOS build so that jail breakers have a smaller but real hurdle once they find a hole to exploit, but in reality how secure is anything once you have physical access to it. This may be why Apple has chosen not to do the simple change of the password from ‘alpine’ for over 3 years, despite the efforts to continually try to subvert users ability to jailbreak.
Just an update. I successfully used the Jailbreakme.com tool to jailbreak, and then ultrasn0w 0.93 to unlock, my 3GS running iOS 4.0.1 (firmware 5.13.04)...
So it works with all the latest and greatest OS/firmware. iPhone 4 version of the unlock isn't ready yet, but expected in a day or so.
I can now make calls using my local Ukrainian provider... happy day.
The only issue I've run into so far is that whenever I initiate a call I get a popup telling me "Call Forwarding Active". I have to manually dismiss that. No idea what that's about, since call forwarding is definitely set to off...
I'll write the developer about it.
Otherwise, it all worked very painlessly. I was surprised how easy it all was.
Now, to change my SSH password, and I'm good to go (I don't have any need to download 3rd party apps, so no risks there...).
The f*ktard at my office helped many of the staff jailbreak their phones. Then there was a virus that went around because nobody changed the root password. Then I asked this particular douche, hey, be sure to change yours, those people's phones you jailbreaked all have viruses. Since this piece of work had to show he was always better than everyone, he was like "ah, it's okay, i'll just let mine get the virus too yay...!!" What a loser.
My point is, nothing wrong with jailbreaking or whatever, don't forget to change the root password!
Comments
http://support.apple.com/kb/HT4131Another comforting thought. Is it just the iOS?
The underpinnings of Safari and the iOS are shared with Mac OSX. Is this exploit flexible enough to grant root access on Mac OS X with Safari on Mac OS X?
Lovely.
Apple has a serious issue indeed. Here's to hoping they don't take two weeks to address it
They fixed what appears to be the same problem on the desktop in June.
Security Update 2010-003
Guess they didn't have time to integrate it into the iOS branch before launch. Unfortunate, because posting the details probably led to using this particular vector on iOS. Good news is that if they already have it fixed in Mac OSX, they should be able to get a fix out quickly for iOS.
Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution.
Description: An unchecked index issue exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved index checking. Credit to Charlie Miller working with TippingPoint's Zero Day Initiative for reporting this issue.
I am a big Apple guy, but it is BS that Apple tries to lock the phone down. I bought the hardware. People would yell bloody murder if Apple tried that BS on a Mac.
I've JB two iPhone 4's and after the install is complete everything works fine. When you need to restart your iPhone 4 you lose two key features, FaceTime and MMS. I've heard you can do a restore to get it back but i've not been able too.. Let me know if anyone else has the same probs or has a work around
The guy is a hero in my book. I just sent him money.
Are you for real? It isn't a serious issue? To again quote Gruber ?remote code exploit now in the wild?. Think about that for a second and I dare you to say again "It's not at this point a serious issue." You think only one site has this exploit active? I hope so. Cuz if other do, they probably won't be as benign as this site.
2) Once I give a retailer my money for that product, I own it and now am the sole decider of what to do with it.
If Apple doesn't like my rights under #2, then they shouldn't engage in the activity covered by #1.
So it works with all the latest and greatest OS/firmware. iPhone 4 version of the unlock isn't ready yet, but expected in a day or so.
I can now make calls using my local Ukrainian provider... happy day.
The only issue I've run into so far is that whenever I initiate a call I get a popup telling me "Call Forwarding Active". I have to manually dismiss that. No idea what that's about, since call forwarding is definitely set to off...
I'll write the developer about it.
Otherwise, it all worked very painlessly. I was surprised how easy it all was.
Now, to change my SSH password, and I'm good to go (I don't have any need to download 3rd party apps, so no risks there...).
It isn't a serious issue. Most people don't go to unfamiliar websites where people would be taken advantage of.
The guy is a hero in my book. I just sent him money.
I think the guy behind jailbreakme is awesome. The tool itself is great. But the mechanism behind it shows a gapping security hole.
You say most people won't visit unfamiliar pages. Maybe that is true and maybe it isn't. It doesn't get around the possibility that sites you do visit are compromised, whether internally or through cross site or injection attacks or other external methods. You may be familiar with the sites you browse to, maybe, but you have no idea of its own status.
Are you for real? It isn't a serious issue?
It would help if you read my entire post:
I specifically stated: "Yes, this is a serious flaw that needs to be fixed."
It is NOT a problem that's going to affect many people at this point since you have to intentionally go to the site and intentionally tell it to jailbreak your phone. That doesn't mean it shouldn't be (or won't be) fixed. It just means that it's not hurting anyone at this point. You can be sure Apple will fix it.
It isn't a serious issue. Most people don't go to unfamiliar websites where people would be taken advantage of.
The guy is a hero in my book. I just sent him money.
Some do and some don?t. More accurately I?d say people don?t go to sites they think are malicious, but they do go to new sites they?ve never been to and it?s possible for sites to get hijacked.
As for this guy being a hero, I don?t quite see how ?hero? could be applied. With the original iPhone hack that used a hole in Safari to jailbreak the device the jailbreak also plugged the security hole as a result. Does this do the same thing or does it leave it wide open?
It would help if you read my entire post:
I specifically stated: "Yes, this is a serious flaw that needs to be fixed."
It is NOT a problem that's going to affect many people at this point since you have to intentionally go to the site and intentionally tell it to jailbreak your phone. That doesn't mean it shouldn't be (or won't be) fixed. It just means that it's not hurting anyone at this point. You can be sure Apple will fix it.
Yes, I did see the wiggle room you tried to give your self in attempting to minimize the scope of the problem here. The problem is that you look really foolish saying "Yes, this is a serious flaw that needs to be fixed" and the following that up with "It's not at this point a serious issue". So, saying it is a serious problem but not a serious problem doesn't add more to your credibility.
Unfortunately, you are wrong in the excuses you tried to use. Who gives a fuck what this particular site requires to use the exploit, in terms of the user having to initiate it. The problem is that this exploit is in the wild. The problem is that it might affect sites you trust. The problem is that it could be crafted not to require user authorization and or hide what you are actually authorizing. The problem is that if you have been using your browser over the last few days to read a PDF (or a PDF from another source) you might have been jacked...you just don't know it. In fact, it doesn't matter how many people visit this site. Could be millions. How cares? That site is not the risk.
It is a serious issue. And I am certain Apple will fix it. They already did over a month ago on Mac OS X, so they should be able to get it out very quickly for iOS.
Some do and some don?t. More accurately I?d say people don?t go to sites they think are malicious, but they do go to new sites they?ve never been to and it?s possible for sites to get hijacked.
As for this guy being a hero, I don?t quite see how ?hero? could be applied. With the original iPhone hack that used a hole in Safari to jailbreak the device the jailbreak also plugged the security hole as a result. Does this do the same thing or does it leave it wide open?
This hole probably is not as easy to properly patch without access to Apple's own PDF rendering engine.
AT&T gives you a contract. You agree to the contract. The contract does not allow tethering.
You have 2 choices:
1. Choose a different carrier (and phone).
2. Obtain an iPhone with AT&T contract under false pretenses and violate the contract.
Sorry, but #2 is completely unethical and tantamount to theft. You're taking a service you didn't pay for.
There are more than 2 choices. There are many. For example, you can travel to a country that legislates cell phone freedom and purchase an Apple-unlocked iPhone & then use a service like T-Mobile. You can pay $1200 for a new iP4 that's unlocked and sold here in the US by companies such as Celluloco and others & plop an T-Mobile SIM card into it. You can even do what I did - my 2-year contract with ATT has expired, I purchased a new iPhone off shore, JBroke it and simply put my ATT SIM card in. Since my contract has expired, I'm not violating any contracts.
There's nothing inherently wrong or immoral or unethical with jailbreaking a piece of equipment you own, it's totally legal & legit. If there's a hardware problem with your phone that warranty should cover, just do a restore before you walk back into the Apple Store. Jailbreaking will not damage your hardware whatsoever, it will simply free you from the limited market freedom being imposed by corporate goliaths that seek to maintain their control and protect their little turf.
Yes, I did see the wiggle room you tried to give your self in attempting to minimize the scope of the problem here. The problem is that you look really foolish saying "Yes, this is a serious flaw that needs to be fixed" and the following that up with "It's not at this point a serious issue". So, saying it is a serious problem but not a serious problem doesn't add more to your credibility.
Unfortunately, you are wrong in the excuses you tried to use. Who gives a fuck what this particular site requires to use the exploit, in terms of the user having to initiate it. The problem is that this exploit is in the wild. The problem is that it might affect sites you trust. The problem is that it could be crafted not to require user authorization and or hide what you are actually authorizing. The problem is that if you have been using your browser over the last few days to read a PDF (or a PDF from another source) you might have been jacked...you just don't know it. In fact, it doesn't matter how many people visit this site. Could be millions. How cares? That site is not the risk.
It is a serious issue. And I am certain Apple will fix it. They already did over a month ago on Mac OS X, so they should be able to get it out very quickly for iOS.
Well said. I may not use Apple products, but i have kinda been feeling bad for the guys just a little. When people downplay issues like this they are hurting a lot of people from getting a resolution from them. Like I pointed out in my earlier posts, this is HUGE. An exploit capable of doing what the jailbreak site can do means hackers can do anything to your phone if you go to the wrong site. You also have to worry about ads that have been hijacked on sites you believe are safe. You can guarentee right now people are working on something for malicious use. People also need to consider that this could be paired with another exploit such as a txt message that automatically opens a link or other method to auto open a site. Blackhat hackers do not report exploits they find. They sit on them until they can use them, such as when an exploit such as this one becomes available. People need apple to respond to this yesterday.
A browser based jailbreak is the best news I've heard all day. Not since 1.1.1 has it been this easy.
haha. i called a friend who works at bestbuy mac kiosk and told him he had better block this site, he didnt know what was happening, i had to clue him into dev-team. i have to admit, this one got me by surprise!
possibly a huge security flaw, but remember, all iphones come with the same root password by default (i think it's still "alpine"). i think this fact probably makes it easy (but i also thought without jailbreaking, you have no access to root at all. i'm fuzzy on the whole thing).
The "alpine" root password is a remarkable gap.
Each iPhone should have a unique root password, set at the factory, changeable
by a military-level iPhone app that requires a lengthy key to open and which the
Apple stores have access to for a connected use to the device...
Certainly not foolproof but a lot better than the current remarkable gap.
Anyone know what the other Unix-based smartphones do with respect to their root password?
I did write more about this on http://wiki.nisi.ro/2010/08/how-to-i...n-your-iphone/
I hope the link is not against this forum.
The "alpine" root password is a remarkable gap.
Each iPhone should have a unique root password, set at the factory, changeable
by a military-level iPhone app that requires a lengthy key to open and which the
Apple stores have access to for a connected use to the device...
Certainly not foolproof but a lot better than the current remarkable gap.
Anyone know what the other Unix-based smartphones do with respect to their root password?
I don’t think changing the root password is a resolution. It would be using an algorithm to determine these passwords. So besides adding a lot of complexity to the building of the iPhones, it’s likely to get cracked, but that doesn’t really have to happen. Jailbreakers could get by with a single build of iOS that they could enter root. The real issue is these holes in iOS that can lead to root access.
The only way I can see this working is for Apple to change the root password of each iOS build so that jail breakers have a smaller but real hurdle once they find a hole to exploit, but in reality how secure is anything once you have physical access to it. This may be why Apple has chosen not to do the simple change of the password from ‘alpine’ for over 3 years, despite the efforts to continually try to subvert users ability to jailbreak.
Just an update. I successfully used the Jailbreakme.com tool to jailbreak, and then ultrasn0w 0.93 to unlock, my 3GS running iOS 4.0.1 (firmware 5.13.04)...
So it works with all the latest and greatest OS/firmware. iPhone 4 version of the unlock isn't ready yet, but expected in a day or so.
I can now make calls using my local Ukrainian provider... happy day.
The only issue I've run into so far is that whenever I initiate a call I get a popup telling me "Call Forwarding Active". I have to manually dismiss that. No idea what that's about, since call forwarding is definitely set to off...
I'll write the developer about it.
Otherwise, it all worked very painlessly. I was surprised how easy it all was.
Now, to change my SSH password, and I'm good to go (I don't have any need to download 3rd party apps, so no risks there...).
The f*ktard at my office helped many of the staff jailbreak their phones. Then there was a virus that went around because nobody changed the root password. Then I asked this particular douche, hey, be sure to change yours, those people's phones you jailbreaked all have viruses. Since this piece of work had to show he was always better than everyone, he was like "ah, it's okay, i'll just let mine get the virus too yay...!!" What a loser.
My point is, nothing wrong with jailbreaking or whatever, don't forget to change the root password!
Oh, my other point was, I hate that guy at work.