Jailbroken iPhones are Weak on Security

Hacker Charlie Miller, who just discovered an SMS vulnerability that affects the iPhone, suggests that it is very unsafe to use a jailbroken iPhone. Jailbreaking is when a user removes Apple’s barriers to installing third-party applications, allowing users to install software that is not distributed via the iTunes Store, as well as cracked software. It also allows users to use the iPhone with carriers other than the exclusive carrier in their country. (iPhones without carrier limitations are sold in a handful of countries, but currently not in the US, for example.)

At the SyScan security conference in Singapore, Miller said, “If you care about security, don’t use a jailbroken iPhone.” He said that jailbreaking removes about 80 percent of the security protections built into the iPhone software, leaving users open to a wide variety of attacks.

Apple Scrambling to Patch SMS Flaw in iPhone

Indefatigable hacker Charlie Miller has found a serious flaw in the iPhone, one that has Apple scrambling to get it fixed. Miller found a vulnerability in the way the iPhone handles text messages (SMSs), and Miller – who recently said “no more free bugs” – apparently has been working with Apple to help fix the flaw.

Reported by Infoworld, this bug,

allows an attacker to run software code on the phone that is sent by SMS over a mobile operator’s network. The malicious code could include commands to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.

Miller will be presenting more information about this flaw at the coming Black Hat security conference, later this month. In the meantime, Apple is hoping to have a patch for this vulnerability by the end of the month. Discussing this flaw, Miller said, “The iPhone is more secure than OS X, but SMS could be a critical vulnerability.”

iPhone OS 3.0 Includes More than 40 Security Fixes

Apple has released it’s new OS for the iPhone and iPod touch, and, as often with this sort of release, the OS includes a number of security fixes. There are more than 40 fixes altogether (details here), including a number that affect WebKit, the page-rendering framework used by Safari. A quick comparison of the fixes in this update with those of the recent Safari 4.0 update show a number of similarities, since the code base for the iPhone OS and Mac OS X are the same. The iPhone update contains many other fixes, though, for elements such as CoreGraphics, Exchange, IPSec, Mail and Telephony.

This update is only available through iTunes. It is free for iPhone users and costs $10 for iPod touch users.

Apple Finally Updates Java After Six Months

When we issued a security memo last month about a serious Java vulnerability that had been unpatched in Mac OS X, we kind of hoped that Apple would react more quickly. But it still took another four weeks after Landon Fuller released a proof-of-concept example of how the vulnerability could be exploited. Apple has finally released updates to Java, for both Mac OS X 10.4, Tiger, and Mac OS X 10.5, Leopard.

The Leopard update patches more than 150 individual bugs in Java, and the Tiger patches more than 100 bugs. But most important is that they patch the critical vulnerability that we warned against in our security memo, which could allow serious drive by attacks, where users could get infected by merely visiting a malicious web page that contained a Java applet.

You can find further information about these updates here: Tiger version and Leopard version. You can download and install them using Software Update.

Apple Releases Dozens of Security Fixes for Safari 4

Together with the announcement of Snow Leopard’s price and availability yesterday at the WWDC, Apple announced the immediate release of Safari 4, which had been previously available in a beta version. Safari (available here or via Software Update) includes 50 (!!!) security fixes. From five fixes to CoreGraphics to four issues corrected in Safari itself to 32 fixes to WebKit (Apple’s underlying rendering framework, which is used by other programs that display HTML pages, from Mail to Help Viewer to many third-party applications), this is the biggest security update (in number of discreet fixes) that we have seen in a long time. It is especially notable that this update essentially fixes just one program and a framework, unlike the general security updates that patch many elements of the operating system. We are still, however, waiting for a fix to that Java vulnerability that we reported recently.

A full list of the security fixes in Safari 4 is available here.

Where Are the Security Enhancements to Snow Leopard?

Apple yesterday made a final presentation of Snow Leopard, or Mac OS X 10.6. This new version of Apple’s operating system is an enhancement of Leopard, Mac OS X 10.5, rather than a radically new OS. Its new features are improvements, not innovations. Apple is refining the operating system, making it 64-bit, and improving the use of multiple processors, but shying away from adding a plethora of visible new features: the changes will mostly be under the hood.

One change we had hoped to see was improved security. Not individual security fixes, but a hardened security backbone for the OS. But Apple seems to have either made few changes in security, or has decided not to publicize them. The only comments about security in Snow Leopard on the Apple web site are the following:

Another benefit of the 64-bit applications in Snow Leopard is that they’re even more secure from hackers and malware than the 32-bit versions. That’s because 64-bit applications can use more advanced security techniques to fend off malicious code.

First, 64-bit applications can keep their data out of harm’s way thanks to a more secure function-passing mechanism and the use of hardware-based execute disable for heap memory. In addition, memory on the system heap is marked using strengthened cryptographic signatures, helping to prevent attacks that rely on corrupting memory.

This talks about applications, which are important, but not about the operating system itself. It is true that preventing attacks that “rely on corrupting memory” is important, because many exploits use such weaknesses to get into the operating system, but we would have liked to see more. Perhaps Apple simply hasn’t felt like presenting other security enhancements, because of their shy attitude toward discussing security. Let’s hope so, and let’s hope to see more security features between now and the release date of September.