Apple expected to release iOS 4.3.1 'soon' to patch Safari vulnerability

Posted:
in iPad edited January 2014
On the heels of the release of iOS 4.3, Apple is expected to introduce an incremental update for its mobile devices, including the new iPad 2, to patch a newly discovered security hole in the Safari Web browser.



A vulnerability for the iOS mobile operating system was exposed this week at the Pwn2Own hacking contest by researcher Charlie Miller. As first reported by Redmond Pie, Miller noted on Twitter that he won the iPhone-specific portion of the event with his hack, but also communicated with Apple to share the exploit he used.



"Apple already has the vulnerability information and will patch soon," Miller wrote.



The exploit reportedly takes advantage of a hole in the iOS to bypass Address Space Layout Randomization. ASLR is a new security feature introduced by Apple in iOS 4.3.



The rules of the contest required that Miller and his hacking partner, colleague Dion Blazakis, not release the vulnerability to the public, where a malicious hacker could take advantage of it. Instead, the information has only been shared with Apple.



Miller is a renowned hacker and security expert who has also won the CanSecWest Pwn2Own security conference in the past. In 2009, he discovered a hack that could be sent via text message and would allow a hacker to take remote control of an iPhone. The issue was patched by Apple.



iOS 4.3 was released by Apple on Wednesday, and it will come preinstalled on new iPad 2 units sold starting today. One of its biggest improvements came in the Safari browser, with JavaScript rendering speeds twice as fast as in iOS 4.2, thanks to the Nitro engine ported from Mac OS X.

Comments

  • Reply 1 of 20
    noirdesirnoirdesir Posts: 1,027member
    And all iPhone 3G users are from now on using unpatched systems. And the iPhone 3G was sold in US until last summer. I think Apple should really supply security patches for at least a year for its products. An iPhone 3G bought last May is still under the one-year warranty but no longer receives security patches.
  • Reply 2 of 20
    ghostface147ghostface147 Posts: 1,629member
    So basically, a whole 500 mb update for one flaw.
  • Reply 3 of 20
    Quote:
    Originally Posted by ghostface147 View Post


    So basically, a whole 500 mb update for one flaw.



    Yea, that's what I'm thinking too.



    I'm not a software expert, so maybe someone can enlighten me. Why is it that OS X can download a 10 MB, 100 MB, etc. patch, but iOS and iOS apps need to completely re-download?
  • Reply 4 of 20
    Was Miller's the only successful breakthrough? Maybe Apple will collect all of the hacks and do all of the patches before releasing an update. I think it's time for that new security expert Apple hired from the NSA to hand Miller his @$$ with an OS and Safari that Miller can't break through. Hasn't happened yet.
  • Reply 5 of 20
    mdriftmeyermdriftmeyer Posts: 7,280member
    Quote:
    Originally Posted by ghostface147 View Post


    So basically, a whole 500 mb update for one flaw.



    No. There will be more than just that. The Safari they updated to is nowhere near the current WebKit Nightly.
  • Reply 6 of 20
    Quote:
    Originally Posted by mdriftmeyer View Post


    No. There will be more than just that. The Safari they updated to is nowhere near the current WebKit Nightly.



    Aren't they working with WebKit2 now? I haven't done the nightly downloads in a while, so I'm sort of out of the loop. Seems to me that Apple could do more, yet isn't. Who is that NSA guy anyway? Has he actually started work?
  • Reply 7 of 20
    hill60hill60 Posts: 6,991member
    The phone Charlie Miller hacked was running 4.2.1 he stated “If you update your iPhone today, the MobileSafari vulnerability is still there, but the exploit won’t work. I’d have to bypass DEP and ASLR for this exploit to work”.



    So he didn't bypass ASLR.



    Source
  • Reply 8 of 20
    mdriftmeyermdriftmeyer Posts: 7,280member
    Quote:
    Originally Posted by Brian Green View Post


    Aren't they working with WebKit2 now? I haven't done the nightly downloads in a while, so I'm sort of out of the loop. Seems to me that Apple could do more, yet isn't. Who is that NSA guy anyway? Has he actually started work?



    WebKit Nightly isn't WebKit2 enabled. You still have to build that along with WebGL and other features. A ton of work has gone into WebKit 2 as it's nearing a point of release as the replacement to WebKit.



    Latest WebKit Nightly is build r80833.



    WebKit2 is enabled in OS X 10.7 Lion developer previews.



    I'm betting on them calling it Safari 6 for OS X and probably Safari 6 Mobile for iOS 5.



    They better have WebKit2 enabled in Leopard and Snow Leopard as there is no reason for them not to do so. None of the technologies are Lion specific.
  • Reply 9 of 20
    Quote:
    Originally Posted by mdriftmeyer View Post


    They better have WebKit2 enabled in Leopard and Snow Leopard as there is no reason for them not to do so. None of the technologies are Lion specific.



    Couldn't the same thing be said about 64-bit Safari in Snow Leopard which could have probably made it to Leopard or even Tiger?
  • Reply 10 of 20
    Quote:
    Originally Posted by hill60 View Post


    The phone Charlie Miller hacked was running 4.2.1 he stated ?If you update your iPhone today, the MobileSafari vulnerability is still there, but the exploit won?t work. I?d have to bypass DEP and ASLR for this exploit to work?.



    So he didn't bypass ASLR.



    Source



    Good to know. By the time someone figures outhow to bypass ASLR this vulnerability will likely be patched.
  • Reply 11 of 20
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by hill60 View Post


    The phone Charlie Miller hacked was running 4.2.1 he stated ?If you update your iPhone today, the MobileSafari vulnerability is still there, but the exploit won?t work. I?d have to bypass DEP and ASLR for this exploit to work?.



    So he didn't bypass ASLR.



    Source



    Not so good for Verizon customers who are still stuck on 4.2.6 at the moment and do not have ASLR. Although, until mobilesubstrate works for jailbroken phones on 4.3, I may not want to upgrade anyway.
  • Reply 12 of 20
    Hmm, do I smell another tethered jailbreak for iOS 4.3?
  • Reply 13 of 20
    Quote:
    Originally Posted by yuusharo View Post


    Not so good for Verizon customers who are still stuck on 4.2.6 at the moment and do not have ASLR. Although, until mobilesubstrate works for jailbroken phones on 4.3, I may not want to upgrade anyway.



    Isn't ASLR what's holding mobilesubstrate up? Which means mobilesubstrate compatibility will be achieved at the same time everyone's vulnerable again because ASLR has been cracked.
  • Reply 14 of 20
    hill60hill60 Posts: 6,991member
    Quote:
    Originally Posted by ltcommander.data View Post


    Isn't ASLR what's holding mobilesubstrate up? Which means mobilesubstrate compatibility will be achieved at the same time everyone's vulnerable again because ASLR has been cracked.



    Apart from ASLR not being cracked that is, if you'd like to refer to my earlier post.
  • Reply 15 of 20
    nkhmnkhm Posts: 928member
    Quote:
    Originally Posted by noirdesir View Post


    And all iPhone 3G users are from now on using unpatched systems. And the iPhone 3G was sold in US until last summer. I think Apple should really supply security patches for at least a year for its products. An iPhone 3G bought last May is still under the one-year warranty but no longer receives security patches.



    If there is a security patch required for it, then it will receive one, there will be an incremental update to the current operating system provided for that device, this is standard apple practice. There was an upgrade to 10.5 after 10.6 was launched in order to do just this.
  • Reply 16 of 20
    Quote:
    Originally Posted by libertyforall View Post


    Hmm, do I smell another tethered jailbreak for iOS 4.3?



    iOS 4.3 is already broken, untethered
  • Reply 17 of 20
    scafe2scafe2 Posts: 61member
    Why don't Apple make this guy an offer he cannot refuse and make him an Apple employee continually checking the security,..?
  • Reply 18 of 20
    Quote:
    Originally Posted by mdriftmeyer View Post


    No. There will be more than just that. The Safari they updated to is nowhere near the current WebKit Nightly.



    They can't patch the phone without patching the firmware, that way, if you ever have to reset it, the update sticks. You also can't edit a read only file system.
  • Reply 19 of 20
    jnjnjnjnjnjn Posts: 588member
    Quote:
    Originally Posted by Scafe2 View Post


    Why don't Apple make this guy an offer he cannot refuse and make him an Apple employee continually checking the security,..?



    Apple has already very good security experts, like Ivan Krstic. Miller isn't necessary, remember IOS 4.3 isn't cracked. Being a good hacker isn't the same as being a good designer of secure systems.

    Note that the hacks of Miller don't lead to viruses. The exploits are prepared several months before the contest and probably based on known bugs in the open source parts of the code (say WebKit).

    The fact that IOS devices are updated on a regular basis and the difficult and time consuming process of finding exploitable bugs keeps IOS (and Mac OS X) virus free.

    It's the open source community and Apple experts that keep it this way, this is very different for Windows with only 'closed' code.



    Sloppy report of Appleinsider by the way.



    J.
  • Reply 20 of 20
    Quote:
    Originally Posted by acslater017 View Post


    Yea, that's what I'm thinking too.



    I'm not a software expert, so maybe someone can enlighten me. Why is it that OS X can download a 10 MB, 100 MB, etc. patch, but iOS and iOS apps need to completely re-download?



    If I remember rightly (not in a place with ubiquitous wi-fi atm) the iPhone's storage is divided in two - one mounted at the root of the file system and the 8 gb / 16 gb whatever mounted under a folder for your apps and music. When it's time to update the phone, basically the phone gets put into recovery mode and the new firmware image is written to OS storage. When the phone reboots, it's then running the new firmware. This offers a higher degree of reliability (which is a good thing - don't want the upgrade to brick your phone) but the penalty is that you have download a large binary file every time you upgrade.
Sign In or Register to comment.