Apple said it's trying to fix a pair of critical iOS security holes affecting both iPhone and iPad after researchers at Germany’s security agency warned that the vulnerabilities could enable cyber criminals to “jailbreak” mobile devices and access users’ personal data.
“Jailbreaking” a device allows users or hackers to exploit security vulnerabilities in order to bypass security mechanisms and install programs not authorised for distribution by Apple’s App Store.
Specifically, the vulnerabilities affect PDF files transmitted or viewed on several versions of Apple’s iOS -- Apple’s mobile operating system that powers iPhone, iPad and iPod Touch -- according to researchers at the German Federal Office for Information Security, also known as BSI.
The flaws occur in iPhone 3G and iPhone 4, as well as iPad and iPod Touch, running iOS 4.3.3 and higher, BSI researchers said in a (German) advisory .
BSI researchers said they had contacted Apple about the problem.
"Apple takes security very seriously, we're aware of this reported issue and developing a fix that will be available to customers in an upcoming software update," Apple said in a statement.
However, Apple declined to specify exactly when the fix would be released.
One security issue occurs in the way the iOS parses fronts in the mobile version of Apple’s Safari browser, while another allows hackers to bypass Apple’s ASLR (address space layout randomisation), a security feature that involves random position arrangement of key data areas that make it more challenging for hackers to predict target addresses and launch attacks.
BSI researchers alerted users to the iOS vulnerabilities on Wednesday, hours after the latest release of the JailbreakMe framework, version 3.0, became publicly available.
In the event of an attack
In an attack scenario, cyber criminals could exploit the security flaws by creating a malicious PDF distributed via a link embedded over e-mail or social networking site. Apple's browser Safari would open the infected PDF file once users clicked on the link, subsequently downloading malware onto their device. Attackers could then use the installed malware to access users' personal or financial data stored on their iPhones or iPads, including online banking information, credit card numbers, text messages, calendars, e-mails and passwords. They could also exploit the flaw to intercept users’ phone conversations and locate and track users via the iPhone’s GPS capabilities.
“And then the attacker could do anything from setting the iPhone’s wallpaper to a picture of Rick Astley, to opening a remote connection and stealing log files from the phone,” said Sean Sullivan, security advisor at Finnish security firm F-Secure .
Thus far, no active attacks exploiting the flaw in the wild have been detected, BSI researchers said, but they advised users to avoid clicking on unsolicited links or opening PDFs delivered from unknown sources, while only visiting trusted Web sites.
First successful workaround
Andrew Storms, director of security operations for security firm nCircle , said that this particular vulnerability appears to be the first successful workaround for both ASLR and Data Execution Prevention (DEP), a security feature preventing applications from executing code from a non-executable memory region.
As such, cyber criminals would likely find ways to launch active attacks in the near future, Storms said.
Attacks Exploiting iOS Flaw Could Be Imminent“This looks to be the first public exploit to bypass both of those protections,” Storms said. “Given that, there’s a lot of people looking at this and learning from this right now.”
Because Apple prohibits anti-virus programs from being offered through its App Store, users will be required to wait for Cupertino to deliver an update before being adequately protected from any future attacks exploit the flaw. As such, only users with previously jailbroken iPhones will be able to repair the flaw by installing PDF Patcher 2 — a program not offered by the App Store — which would temporarily protect the device from attack until a patch could be released.
The iOS flaw is reminiscent of a previous iOS jailbreaking flaw detected in August of last year , which also enabled cyber criminals to bypass security mechanisms on the iPhone or iPad to unlock the device and install malicious programs. Apple issued a fix for that bug within two weeks.
Storms said that it wouldn’t be unreasonable to expect a similar response from Apple addressing the current iOS flaw.
“We can probably expect a response within a similar timeframe, given the successful manner in which these two protection mechanisms were bypassed. Apple may be working faster than ever to lock that down,” he said.
However, F-Secure’s Sullivan said that because the nature of the flaw would likely prompt Apple to patch quickly, he didn’t expect many criminally motivated attacks successfully executed for financial gain. But the high-profile nature of the vulnerability would easily lend itself to political or recreational attacks, he added.
“I would not be at all surprised if some AntiSec hackers were to exploit iOS device owners ‘for the Lulz,’” he said. “The ‘hacktivism’ of the last couple of months has made it much more likely to for this to be exploited than last year.”