December 9, 2016

Apple Releases iOS 5.0.1 To Kill Code-signing Bug

Apple has released iOS 5.0.1 for the iPhone, iPad and iPod Touch to fix half a dozen security vulnerabilities including the code-signing bug that Charlie Miller discovered recently and the iPad 2 smart cover bug.

A few days ago Charlie exposed a flaw in Apple’s code signing system which ensures that only Apple-approved applications can run on an iPhone or iPad. If Apple hadn’t fixed this issue it would have been possible for developers to upload apps to iTunes that could run new code on your phone that Apple never had a chance to check. This in turn would let malware into Apple’s tightly controlled eco system.

According to the security note issued by Apple, Charlie’s flaw was due to a logic error that existed in the mmap system call’s checking of valid flag combinations. This issue does not affect devices running iOS prior to version 4.3.

The other important fix in iOS 5.0.1 is the iPad smart cover bug. The problem was that when a Smart Cover is opened while an iPad 2 is confirming power off in the locked state, the iPad does not request a passcode.

Other things fixed in this release include:

  • Visiting a maliciously crafted website may lead to the disclosure of sensitive information. An issue existed in CFNetwork’s handling of maliciously crafted URLs. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could navigate to an incorrect server.
  • Viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Multiple memory corruption issues existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.
  • An attacker with a privileged network position may intercept user credentials or other sensitive information. Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted. We would like to acknowledge Bruce Morton of Entrust, Inc. for reporting this issue.
  • Visiting a maliciously crafted website may lead to the disclosure of sensitive information. An issue existed in libinfo’s handling of DNS name lookups. When resolving a maliciously crafted hostname, libinfo could return an incorrect result.
Apple also fixed non-security related bugs in iOS 5.0.1 including tweaks to extend the battery life of devices running the OS.

Researcher Finds iOS Vulnerability Then Loses his Developer Program Status

(LiveHacking.Com) –  Charlie Miller, a veteran at finding vulnerabilities in OS X and iOS has discovered a flaw in iOS that allows rogue apps to download and execute unapproved code on an iOS device. As a proof of concept Charlie successfully uploaded an app to Apple’s iTunes store, a trick which then cost him his rights as an iOS developer.

Charlie is no stranger to hacking Apple products. In 2008 he won a $10,000 prize at the hacker conference Pwn2Own for cracking a MacBook Air in under 2 minutes. In 2009, he won $5,000 for cracking Safari in under 10 seconds. And in the very same year he also demonstrated an SMS processing vulnerability that allowed for the complete compromise of an iPhone.

His latest discovery exposes a flaw in Apple’s restrictions on code signing, Apples largely successful way to ensure that only Apple-approved applications can run on an iPhone or iPad. Charlie plans to present his findings at the SysCan conference in Taiwan next week.

“Now you could have a program in the App Store like Angry Birds that can run new code on your phone that Apple never had a chance to check,” says Miller. “With this bug, you can’t be assured of anything you download from the App Store behaving nicely.”

However once Apple discovered what Charlie had been up to,  it terminated his iOS Developer Program License:

“This letter serves as notice of termination of the iOS Developer Program License Agreement…between you and Apple,” the email read. “Effective immediately.”

Of course, Apple is well within its rights to terminate Charlie’s developer license. He has broken the terms of the license, however we are left wondering if Apple wouldn’t have done better to contact Charlie and get him to explain the flaw to them.

Charlie isn’t the only person trying to get around Apple’s security systems. Pod2g an iPhone hacker from Chronic Dev Team is reporting that he has found a bug in Apple’s iOS 5 that may allow for the development of an untethered jailbreak:

“Hey jailbreaking friends, I’ve found a bug that can untether iOS 5. Don’t expect a release soon, but I’m gonna work hard in it.”