Zero-day attacks on the iPhone via outdated applications

On July 31st Apple released the iPhone patch 1.0.1. The next day, Charles Miller released details of a vulnerability that was included in the patch release. The vulnerability was in an open source application on the iPhone, the PCRE (Perl Regular Expression Library) parser used by the JavaScript engine in Safari. Even though Miller found the exploit via fuzzing, he made a really interesting point which can lead to attackers finding easy 0-day exploits for the iPhone: the iPhone is running outdated open source applications. In this case, it was PCRE 6.2 with the latest version being 7.2. Just by simply looking at the changelog you can see that PCRE version 6.7 documented the vulnerability that was used,

18. A valid (though odd) pattern that looked like a POSIX character class but used an invalid character after [ (for example [[,abc,]]) caused pcre_compile() to give the error “Failed: internal error: code overflow” or in some cases to crash with a glibc free() error. This could even happen if the pattern terminated after [[ but there just happened to be a sequence of letters, a binary zero, and a closing ] in the memory that followed.

As more layers are uncovered with the iPhone and the Mac OS X underneath expect more 0-day exploits using the simple technique of open source version diffing. Also, hopefully, Apple will learn from this experience and keep the open source components up to date.