Apple Says It's Got A Fix For Critical iOS 4.0 Flaws


The persistence of those who "jailbreak" their iPhones has to be a source of irritation for Apple, but this time around, the practice has actually helped uncover a pair of critical security vulnerabilities in iOS.

Apple on Wednesday said it has developed a fix for the vulnerabilities and plans to release it to customers in a forthcoming software update, although the company didn't offer a timeframe for when this might happen.

Last weekend, the iPhone Dev team proudly released Jailbreakme 2.0, which allows iPhone users running iOS 4.0 to unlock their devices by navigating to Jailbreakme.com using Safari. This made jailbreaking much easier than in the past, when users had to connect their iPhones to a PC in order to unlock their devices.

But this convenience is a double-edged sword, as it essentially provides miscreants with a blueprint for defeating the two different levels of security that Apple has built into the iPhone.

The first vulnerability, which stems from Safari's handling of PDF documents, can allow a remote attacker to load malicious code onto an iPhone or iPad by getting the user to click on a link on a rigged Website. The second vulnerability, which lies in the iOS kernel, allows the malicious code to bypass Apple's iOS sandboxing technology and gives the attacker complete control over the device.

These flaws are currently being exploited to remotely jailbreak Apple devices, the French research firm Vupen Security said in a Tuesday bulletin. Vupen rated the vulnerabilities as "critical," the highest on its four-level severity scale.

"The website redirects the browser to the appropriate PDF exploit file depending on the device model and version and then executes a first stage payload," according to the Vupen Security bulletin. "Once done, a second stage payload is executed to gain root privileges on the device by exploiting the kernel vulnerability."

Apple has always warned that those who jailbreak their devices may void their warranty, but the company's efforts to criminalize jailbreaking under the Digital Millennium Copyright Act were quashed by the U.S. Copyright Office last week in a ruling that described jailbreaking as "innocuous at worst and beneficial at best."

Although the iPhone Dev team indirectly helped alert Apple to what is clearly the most serious iPhone security vulnerability to date, Apple probably isn't going to be sending over any fruit baskets.

In fact, it wouldn’t be at all surprising to see Apple's "may violate the warranty" stance on jailbreaking harden into a more decisive, "You can be sure it will void the warranty."