While they haven’t issued an advisory, Apple has acknowledged the vulnerabilities being used in the jailbreakme.com site. They say they have already developed a fix and that it will be available in an upcoming update. As reported in the New York Times, the German Federal Office for Information Security, said it had identified two vulnerabilities in iOS. Apple was responding to their reports.
But the big story isn’t a vulnerability in iOS, hardly the first or last. This is the first vulnerability on the iPhone to be exploited, although not maliciously, in the wild. [Correction: I have been reminded that the very first iPhone jailbreak was based on an unpatched vulnerability in the libpng library.] The way it works proves that drive-by malware can be done on the iPhone and there’s almost nothing to stop it.
No doubt there are many more vulnerabilities like the ones at issue here. Software that parses complex data formats like PDF files is prone to such vulnerabilities, and Apple has fixed scores of them in OS X in the last few years. At least on OS X you can get antivirus and IPS software to protect against known attacks, but things are different on the iPhone.
Remember, in case you thought otherwise, that PDF is an open standard and, in fact, an ISO standard. Anyone can implement it and Adobe is out making sure that everyone knows that they didn’t write the vulnerable code in iOS.
The problem is that it’s impossible to secure a device, any device, but including an iPhone, without some sort of manageable endpoint security software on the device. All the other mobile platforms have such products, but even though the iPhone as 1.3 zillion apps, it has no endpoint security software. I asked Mikko Hypponen of F-Secure about this. F-Secure has long been aggressive about moving into mobile device protection anticipating, as we all do, that it would some day turn into a real problem. Mikko said “Antivirus vendors can’t build a realtime antivirus system for iPhone without Apple’s help. So far, Apple has not been interested.”
This is completely in line with Apple’s general attitude that security is someone else’s problem. It’s why they take an appallingly long time to fix so many critical vulnerabilities (although researchers tell me they do listen and they do, eventually, fix the problems). But it also means that the “window of vulnerability” is long on the iPhone and on OS X, and that gives a big advantage to attackers.
I’m getting a feeling about this episode, that it could be the bootstrap for the real beginning of the Apple malware problem. Like mobile malware generally, it has been expected for ages because it just makes sense, but it hasn’t happened. Perhaps the answer is that the Apple malware writers will skip the Mac altogether and write their malware for the iPhone. It just makes sense.