NEWS FROM THE LAB - Friday, August 6, 2010

Questions and Answers on the JailbreakMe Vulnerability Posted by Mikko @ 13:15 GMT

Q: What is this all about?
A: It's about a site called jailbreakme.com that enables you to Jailbreak your iPhones and iPads just by visiting the site.

Q: So what's the problem?
A: The problem is that the site uses a zero-day vulnerability to execute code on the device.

Q: How does the vulnerability work?
A: Actually, it's two vulnerabilities. First one uses a corrupted font embedded in a PDF file to execute code and the second one uses a vulnerability in the kernel to escalate the code execution to unsandboxed root.

Q: How difficult was it to create this exploit?
A: Very difficult.

Q: How difficult would it be for someone else to modify the exploit now that it's out?
A: Quite easy.

Q: Was this irresponsible disclosure?
A: Yes it was. Apple was never informed of the vulnerability.

Q: Who created this exploit?
A: The credits on jailbreakme.com are as follows: "Jailbreak by comex, website by westbaer and chpwn. Special thanks go out to BigBoss, chronic, DHowett, MuscleNerd, planetbeing, posixninja, and saurik."

Q: So this is an iPhone problem?
A: No, it's an iOS problem. Which means it affects iPhones, iPads and iPods.

Q: iPods too?
A: Yes, iPod Touch is affected. That's the iPod that looks like an iPhone.

Q: Which versions of iPhones, iPads and iPod touches are affected?
A: All of them.

Q: So this affects all iPhone users in the whole world?
A: Yes.

Q: But I thought only jailbroken iPhones were at risk!
A: You're confused. All iOS devices, including plain vanilla iPhones, are at risk.

Q: Is there a patch available?
A: No.

Q: Ouch. Will there be a patch?
A: Apple is expected to ship one as soon as they can.

Q: Is that confirmed?
A: It is. Apple wants to patch this for two reasons: to prevent people from jailbreaking their devices and to protect their customers from potential attacks.

Q: Does the PDF vulnerability affect Adobe PDF Reader?
A: No. Adobe PDF Reader on Windows and other platforms is not affected by this vulnerability.

Q: Is the PDF reader on my iPhone made by Adobe?
A: No, it's made by Apple. And there is no separate Reader application, PDF support is built into the OS.

Q: After all the fighting between Apple and Adobe (regarding Flash), isn't this a bit ironic?
A: Yeah.

Q: Are any other applications vulnerable?
A: Some versions of Foxit Reader and the FreeType2 library might be. See here.

Q: How many malicious attacks with this vulnerability have you seen so far?
A: Zero.

Q: So there's no risk?
A: There's no risk, at the moment. The potential for risk, however, is big.

Q: What's your best guess, when will we see an iPhone worm spreading via this vulnerability?
A: Within a week or so.

Q: How could such a worm arrive to my phone?
A: Via any mechanism that could make your device open a malicious PDF file. We have examples in an earlier blog post.

Q: So a malicious web page would do it?
A: Yes. Or a malicious PDF email attachment. Or a text message with a weblink. Or a link in Twitter or Facebook feed - assuming you click on that link with your iPhone.

Q: Could it arrive via MMS messages?
A: Thankfully, no, as PDF attachments fail in iPhone MMS messages. This is also known as security through incompatibility.

Q: How could such a worm replicate further?
A: It could replicate further from your phone by sending itself as a text message to all people listed in your phone book. For example.

Q: What could such a worm do on my phone?
A: Anything. It could do anything you can do on your phone, and more. So it could destroy or steal all of your data. Track your location. Spam your friends. Listen to your phone calls. Dial the presidents of every country in the world. Anything. And you would pay for all the charges it would create, too.

Q: So as an iPhone user, what should I do to protect myself?
A: You should be careful. And you should install the patch when it becomes available.

Q: Should I run an antivirus on my iPhone?
A: You should, yes. But you can't.

Q: I can't? Why not?
A: Because there are no antivirus programs available for iPhone.

Q: What?
A: There are no antiviruses available on iPhone. Not from any vendor.

Q: Why not?
A: We can't make them without Apple's help.

Q: Anything else I could do?
A: If your iPhone is jailbroken, you could consider installing the "PDF Loading Warner" app, made by Chronic Dev Team. We're not endorsing the tool, but it might help.

Q: What does this tool do?
A: It warns you every time a web page tries to load a PDF file, harmful or not.

Q: Where can I get that PDF Loading Warner app?
A: See here.

Q: Are you telling me that it would be safer now to jailbreak my phone so I could install a PDF Warner?
A: Yes, sort of.

Q: But wouldn't jailbreaking expose my phone to other security risks?
A: Well yes, it would. And we do not recommend people to jailbreak any of their devices for any reason. For example the only iPhone worms we've seen so far only infected jailbroken devices, although those also required you to install an SSH server, and assumed you had not changed your root password.

Q: So you know the root password of my iPhone?
A: If you haven't changed it, it's "alpine".

Q: So I guess I should change it?
A: Yes, although that's not related to the jailbreakme vulnerability. For instructions, see our blog post from 2009.

Q: Anything else I could do?
A: You should follow the news. If there will be a real attack via this vulnerability, we will be able to give you much more concrete instructions on how to protect yourself. Follow our blog and Twitter feeds.