About Me

David Marcus

David Marcus
Director, Security Research
Dave Marcus currently serves as Director of Security Research for McAfee® Labs, focusing on bringing McAfee’s ...

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Remote iPhone Jailbreak Using PDF Exploit Should Serve as Wake-Up Call

Tuesday, August 3, 2010 at 8:54am by David Marcus
David Marcus

Like many iPhone users, I “jailbreak” my iPhone. I do this for many reasons, but mainly for console-level access and the darn cool infosec tools that are available through Cydia. Like many iPhone users, I was quite happy when the Electronic Frontier Foundation (EFF) was able to get jailbreaking included under “fair use” within the Digital Millennium Copyright Act. Like many iPhone users, I was also very happy to learn that Dev-Team would soon make remote jailbreaking possible by simply visiting their jailbreakme website. Alas my happiness was not to last.

While still at Defcon, I saw through Twitter that one exploit or another was being used to remotely jailbreak the iPhone. (I believe the first tweets I saw were from Brian Krebs.) I then saw posts from VUPEN that several flaws were being exploited. From their advisory:

Technical Description

Two vulnerabilities have been identified in Apple iOS for iPhone, iPad and iPod, which could be exploited by remote attackers to take complete control of a vulnerable device.

The first issue is caused by a memory corruption error when processing Compact Font Format (CFF) data within a PDF document, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page using Mobile Safari.

The second vulnerability is caused by an error in the kernel, which could allow attackers to gain elevated privileges and bypass sandbox restrictions.

Note: These flaws are currently being exploited by jailbreakme to remotely jailbreak Apple devices.

Affected Products

Apple iPhone OS (iOS) versions 4.x
Apple iPhone OS (iOS) versions 3.x
Apple iPod OS (iOS) versions 4.x
Apple iPod OS (iOS) versions 3.x
Apple iPad OS (iOS) versions 3.x

Solution

VUPEN Security is not aware of any vendor-supplied patch.

References

http://www.vupen.com/english/advisories/2010/1992

Did you notice the line “VUPEN is not aware of any vendor-supplied patch”? In the security business we call those zero-day vulnerabilities. We call code that takes advantage of zero-day vulnerabilities zero-day exploits. (I have not seen confirmation from Apple that these are in fact zero-day vulnerabilities, so keep that in mind).

I hope I am not the only one who is bothered by this because it begs the question “What else can this be used for?” Vulnerabilities with reliable exploit code tend to get reused and repurposed for other attacks/malware/uses. Just look at the .LNK vulnerability that Microsoft fixed yesterday via an out-of-band patch. It originally targeted power-plant control systems as the Stuxnet worm and then appeared in more mainstream malware because it was an unpatched vulnerability with working exploit code. Read this article in The Register for a real nice breakdown of it.

This should serve as a wake-up call for anyone with a mobile device: Remote exploitation is real and here to stay. For now these vulnerabilities are being used only (as far as we know) to jailbreak iPhones, but they could be used to do many other things to iPhones and their owners around the world.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (3)

  • Grace August 9, 2010 10:16PM

    “In its ongoing commitment of providing safer, faster and more stable PDF software tools, Foxit is taking a proactive measure in securing its 100 million PDF Reader users against the iPhone/iPad Jailbreaking application that utilizes malicious PDFs to hack the systems of unsuspecting users. Hackers are now trying to use these malicious PDF’s to access sensitive data on desktops. Foxit welcomes all PDF Reader users to download the latest version of the Foxit Reader 4.1.1 which addresses and resolves the issues related to the jailbreak hack.

    To protect iPhone/iPad users from the jailbreak program that is being used to exploit iPhones in the way they handle PDFs, Foxit is preannouncing its soon to be submitted PDF Reader App for iPhone. Foxit believes that the upcoming release of its Foxit Reader for iPhone will provide a secure PDF reader for the iPhone. Foxit will be submitting this App within two weeks and it will have full PDF viewing capability. Just as with the Windows Reader, Foxit PDF Reader for iPhone will protect users against malicious PDFs.”

    Reply
  • Sandeep August 6, 2010 5:37AM

    really scary actually… iphone bloggers spread the world abt jailbreakme or other tools so frantically without even understanding how they are able to break into the system from a webpage… its only after reading this you see the dark side of it.

    Reply
  • P99 August 4, 2010 7:34AM

    I was thinking the same thing when I read the first article about jailbreakme. Don’t get me wrong, it’s a great tool but opens up a wide-world to malicious attackers. We all are guilty of having our entire life on our mobile phones so they should be protected just as our computers are. I’ve been asking antivirus makers to please make a mobile antivirus for major smartphones like the iPhone (most importantly), Droid, etc to no avail. I could only hope that they are secretly building a weapon against mobile attacks now that we’ve seen quite a few malicious worms, bugs, and exploits.

    Reply