A new security vulnerability has now been exposed pertaining to how Apple's Safari web browser handles site names entered into the address bar. The exploit, discovered by David Vieira-Kurz of MajorSecurity, involves spoofing (faking) the name of the site the user thinks they are going to in Safari while secretly redirecting them to a different, potentially malicious website without their knowledge.

The vulnerability has been reproduced on every device running iOS 5.1 including the iPhone 4, iPhone 4S, iPad 2 ,and the new iPad. Given the reproducible results, the Dutch Ministry of Security and Justice has issued a warning.

A proof of concept has been provided by Vieira-Kurz and the results have been acknowledged by Apple as far back as March 3rd. That said; it stands to reason that an update from Apple is being worked on to close the hole.

If you're looking to test out the proof of concept yourself, you can visit the Vieira-Kurz website in the source link below. If you test it, you can see how simply pushing the demo button will load a new site but the address bar would have you believe it's still apple.com.

Until an update is pushed from Apple, ensure you do not go clicking on any random links you don't trust and also avoid offering up any personal details on sites you're not 100% sure about. When it doubt, type in the address yourself rather than clicking a link to better make sure you're going to the right place. These are common safety measurements for the internet, but certainly worth repeating with this new found exploit now known to the masses.

Source: The Next Web; Via - Vieira-Kurz

A bug found in iOS 5.0.1 may allow an unauthorized user to access your contacts, make phone calls, or use FaceTime on your passcode-protected iPhone. But stop panicking, this bug isn't easily reproduced -- it requires someone else to have access to your phone, with either no service or the sim card removed. Your average snoop won't find it worth their time.

To trigger the bug, someone must confuse the phone after receiving a missed call by one of two methods -- doing it while you have no network coverage or actively inserting and ejecting the SIM card. This will eventually lead to the iPhone unlocking to the phone app and allowing you to place phone calls. Once you hang up, you'll be locked out again.

It seems a bit silly as this process obviously needs to be performed numerous times, as shown in the demo video below, in order for it to confuse the phone. As long as you aren't leaving your iPhone unattended for long periods of time with shady people who actively carry around a SIM removal tool or paperclip, I don't see this becoming a popular way of hacking into someone's iPhone.

A similar bug was discovered a while back under iOS 4 which also allowed access to contacts, favorites, and voicemail on a locked device. Another recently discovered timestamp bug in iOS 5 allowed access to your camera roll.

No word yet on whether or not this specific issue is patched in iOS 5.1. If it isn't already, it probably will be before the public release of iOS 5.1.

Source: iPhoneIslam

A couple of quick updates for those still waiting on Apple A5 device jailbreaks -- namely iPhone 4S and iPad 2 -- as well as an iOS 5.1 jailbreak.

For iPhone 4S and iPad 2 devices, @pod2g just tweeted the following:

made a step today for the A5. With some luck we could expect a release in a week.

As to iOS 5.1, @i0n1c seems to have something in the pipeline, so 2012 could get off to a strong start for team Jailbreak.

For more discussion and help, head on over to our Jailbreak Forums.

Source: @pod2g

An iOS security exploit, unveiled by security researcher Charlie Miller, allows an app to download and execute unsigned code from a remote unknown server. What’s even more astonishing, to prove the exact details of this hack, Charlie Miller developed and submitted an app containing the exploit to Apple. The app was approved and available in the App Store. (It has since been removed, and Charlie Miller has also now been removed from the iOS developer program.)

Miller became suspicious of a possible flaw in the code signing of Apple’s mobile devices with the release of iOS 4.3 early last year. To increase the speed of the phone’s browser, Miller noticed, Apple allowed javascript code from the Web to run on a much deeper level in the device’s memory than it had in previous versions of the operating system. In fact, he realized, the browser’s speed increase had forced Apple to create an exception for the browser to run unapproved code in a region of the device’s memory, which until then had been impossible. (Apple uses other security restrictions to prevent untrusted websites from using that exception to take control of the phone.) The researcher soon dug up a bug that allowed him to expand that code-running exception to any application he’d like. “Apple runs all these checks to make sure only the browser can use the exception,” he says. “But in this one weird little corner case, it’s possible. And then you don’t have to worry about code-signing any more at all.”

Miller plans on demonstrating the exploit at the SysCan conference in Taiwan next week. In the mean time, take a look at the video below which shows the exploit in action. Using the app he can take a copy of a users address book, direct them to a YouTube video or steal photos from the device running the app.

We are sure Apple will be releasing a fix very soon to plug this exploit, now that it is out in the open!

Source: Forbes via Daring Fireball

Chronic Dev Team member @pod2g sent out a tweet stating they are all still actively working on an iOS 5 untethered jailbreak. After Comex's departure to Apple a lot of the jailbreak community is wondering how it affects future development of jailbreak tools. Even though Comex played a huge part in the jailbreak scene there will always be many others willing to step in and fill his shoes. The cat and mouse game will always continue.

Even though they are working on a new untethered exploit for iOS 5, it has been stated many times that no untethered version will be released until after the official release of iOS 5. This is typical as a release before would allow Apple time to patch it and leave jailbreakers out in the cold until another exploit is found.

If you'd still like to jailbreak on iOS 5 you can do so via Redsn0w beta if you're alright with being tethered for a while. And as always, proceed with caution with any beta software and if you run into any problems or have questions, you can always check out our TiPb jailbreak forums.

[Pod2g]

We're getting a lot of questions from Jailbreakers and would-be Jailbreakers both on iOS 4.x and iOS 5 so we figured it was time to once again take a look at the state of iPhone, iPod touch and iPad Jailbreak. Here it is:

If you still have an untethered Jailbreak on iOS 4.3.3 or below and want to stay untethered, don't upgrade just yet.

If you've already updated and you currently have a tethered jailbreak on iOS 4.3.5, you'll probably have to stay tethered until the release version of iOS 5 drops this October.

Why not? Because if they release an untethered Jailbreak based on an exploit in iOS 5 beta, Apple could easily patch it in the next beta and it's back to square one.

I'm currently on iOS 5 beta and personally can't wait to have my jailbreak back. iOS 5 is a major improvement but I still miss apps like Mail Enhancer and SBSettings. I'd much rather wait and have an untethered jailbreak for the iOS 5 final release than a quick fix now that Apple kills off during the beta.

Following up on earlier news that an untethered exploit was handed over to the Dev-Team from developer Stefan Esser, prominent Dev-Team member @MuscleNerd tweeted that the exploit is working and they're hammering out remaining jailbreak issues at this time.

well @i0n1c's untether is solid! Just working out overall 4.3.x JB issues and Cydia

It looks like we could see a working untethered iOS 4.3 jailbreak tool released soon based on the progress update, but remember it won't work with the iPad 2 unless a new vulnerability is found and implemented (Apple patched the userland exploit found by Comex in 4.3.1).

Do you think we'll see a jailbreak released for 4.3 soon? Sound off in the comments below!

Developer Stefan Essen recently demoed an iOS 4.3 untethered jailbreak exploit on video. Today on Twitter, he has stated that the exploit has been turned over to the iPhone Dev-Team. He stated when he released the demo video that he had no intention of releasing a jailbreak tool himself.

What the iPhone Dev-Team will do with the untether isn't completely clear at this point, but we can hope that it allows for a untethered jailbreak in the near future under iOS 4.3. For all of you iPad 2 users out there, Stefan Essen has already stated that this exploit won't do you any good.

The iPhone Dev-Team is currently beta testing the exploit. We'll see if they decide to implement it in a tool in the near future. How many of you are waiting to upgrade and still on iOS 4.2.1?

Will I be able to Jailbreak iPad 2 running iOS 4.3 when it launches? That's a question on a lot of user's minds. We already know the jailbreak community is working towards an iOS 4.3 jailbreak. What we "do" know is that a tool won't go official until iOS 4.3 is out of beta and in the hands of consumers. Most of the reason behind this is so Apple doesn't patch it in a last minute update.

Where the iPad 2 is concerned, it's anyone's guess whether or not the solution they're currently working towards will definitely jailbreak the iPad 2. According to @p0sixninja, one of the main contributors of greenpois0n, they are hoping the SHAtter exploit will still be a viable solution on the iPad 2 as well.

While we wait for a definitive answer, check out our massive jailbreak guide and mingle with other fellow jailbreakers in waiting over in our TiPb jailbreak forums.

The SHAtter exploit found by pod2g appears to have been leaked. Who leaked it and for what reason is still unclear. What is clear is that Apple will certainly find a way to patch the hardware if it did in fact leak. When Limera1n was released, it kept the SHAtter bootrom exploit safe for future jailbreaks as it would require a complete hardware revision to be done by Apple.

SHAtter basically used a hardware exploit in the A4 series of devices (iPhone 4, iPad, AppleTV 2nd generation, and iPod Touch 4G). You can bet Apple will make a hardware revision to patch SHAtter. It seems there is some drama between some members of the jailbreak community over who actually "leaked" the SHAtter exploit.

@P0isixninja of the Chronic Dev Team is pointing a blame finger to @Musclenerd. As Musclenerd concentrates on unlocks, it seems unreasonable to think he'd leak an exploit he would need in order to create an unlock. Click through for a response to the drama from @comex, who claims if it doesn't stop, he'll just e-mail the exploit directly to Apple. Not good news for the jailbreak community.

The part of Comex's tweet that got me was where he said (the real) SHAtter. Digging further into Twitter shows that maybe a fake exploit was leaked on purpose. We'll update when we know more.

What are you guys' thoughts? It's been a crazy evening for jailbreakers. First Comex stated the Christmas untethered deadline would be missed, and now a leaked exploit. Lend us your thoughts in the comments!

It seems a security hole in Paypal's iPhone app has been discovered that would allow hackers to access user's Paypal username and passwords over Wi-Fi. The "man-in-the-middle attack" let's the hacker come between the user input information and Paypal's servers. Although this is dangerous, it does require the hacker to be on the same Wi-Fi connection as the user in order to steal their information.

Airports, train stations, coffee shops, and other public Wi-Fi locations are the most susceptible. Paypal has issued a statement assuring if anyone does fall victim to this exploit, Paypal will cover 100% of all fraudulent charges. Paypal spokeswoman Amanda Pires had this to say -

"To my knowledge it has not affected anybody," Ms. Pires said. "We've never had an issue with our app until now."

Isn't that how it typically works, though? You don't have problems, until you do. And this is a large one. I'd highly suggest updating ASAP, the update is available via the App Store now.

via WSJ

It looks as if there's yet another Phone.app security hole, this time in iOS 4.1 that allows someone to get around a passcode locked iPhone, gain access to the owner's contact list, make calls and send emails to anyone in said contact list.  From MacStories:

"To reproduce the bug, make sure to have a passcode lock turned on and lock your device. In the lockscreen, tap on Emergency Call in the lower left corner. Now type a non-existent emergency number, I tried #946494. Start the call, and as soon as the red button appear hit the sleep button. You’ll be brought to the contact list."

The issue will most-likely get patched by Apple in the 4.2 update coming later this month, but it's not the first time the emergency call screen has been exploited. Both iOS 2.1 and iOS 2.0.2 suffered from passcode lock bugs. Hopefully Apple pays extra attention and really secures Phone.app this time.

We were able to recreate the issue in the video above.  Any readers out there seeing the same results?  Let us know your thoughts on this in the comments below!

UPDATE: This bug appears to already be fixed in iOS 4.2 beta, which is due to be released in November.

[MacStories]

by Andrew Wray

iPhone Dev Team's MuscleNerd has announced via twitter that Comex's Userland Tools can be used to keep all Apple A4 chipset-based, Jailbroken iPhones, iPod touches, and iPads untethered for all future firmware releases. Coupled with Geohot's limera1n exploit which will work on all current A4 devices for the duration of their lifespan, and iPhone Dev Teams custom pwnagetool which will keep your baseband unlockable, Jailbreakers can look forward to being up to date with all current firmware releases without any worry of losing their Jailbreak or Unlock status.

• Pwnagetool lets you create custom firmware with older baseband to preserve unlock (iPhone 4 owners can also use TinyUmbrella)
• Comex Userland Tools are built into both limera1n and greenpois0n to keep Jailbreak untethered.
• Geohot Exploit is a bootrom-level exploit that can't be closed without new hardware from Apple.

Does this make you more likely to Jailbreak? Tell us what you think below or visit our Jailbreak Forum for more.

[@MuscleNerd]

by Farbod

I think we all generally assumed this, but it's nice to see Apple going on record as saying they'll patch the PDF font exploit that currently allows the Jailbreakme.com jailbreak -- and potentially any malicious hacker out there -- to run code on an iPhone with just the tap of a web button. CNET scored the quote from an Apple spokeswoman:

"We're aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update."

That might not be great news for Jailbreakers in the waiting, but this is a really bad security vulnerability and Jailbreak or no Jailbreak, Apple needs to fix it as soon as possible. Apple of course currently only provides updates in the form of complete firmware re-writes, which means we're likely going to have to wait for an iOS 4.0.2 (and hopefully a proximity sensor fix), or iOS 4.1 this fall when Apple introduces iPod touch 4.

If they could somehow work out a way to patch iOS, especially OTA, without having to wait until an entirely new firmware is ready it would go a long way towards speeding up their security response time for situations such as this.

[CNET]

Last night during iPad live I ranted on about how a web-based Jailbreak, like the recent iPhone 4/iOS 4.x/iOS 3.2.x release showed a dangerous exploit that Apple needed to patch immediately before someone evil got a hold of it and began malicious attacks.

Is this different from any other Jailbreak? Yes and no. All Jailbreaks begin with an exploit -- a mistake in the software code -- that lets outside code get in and run on the device. But that code doesn't have to Jailbreak your iPhone, iPod touch, or iPad. It can do anything. It can paint your screen a lovely color, or it can steal or your personal information and beam it back to hacker HQ. Jailbreak good, virus or trojan bad, but the root of both is the same -- exploit that allows remote code execution. If a Jailbreak can get in, so to can presumably almost anything else.

Web-based exploits -- like one of the original iPhone 1.x Jailbreaks and now the recent iPhone 4, etc. Jailbreak -- are theoretically more dangerous because they're easier to trigger. You don't have to download and run a program or go through all the steps of putting your device in DFU mode. You just go to a website, maybe tap a few times, and boom, you're Jailbroken -- or boom, you're in a world of trouble.

Evildoers could conceivable make fake or compromised versions of *ra1n or Spirit, or whatnot -- that's one of the ways malware spreads in the PC and even Mac world. They could conceivably make infected versions of any Jailbreak or cracked app. And they sure could make fake versions or mirrors of web-based Jailbreak sites.

Should this scare you? Yes. The likelihood of a fake Jailbreak program is probably a lot lower than a fake Jailbreak website, or worse -- just a random website armed with the exploit.

Should Apple fix it immediately? Yes, even though they'll get accused of "shutting down Jailbreak" again. Zero-day, in the wild. This is as bad as it gets. Sure it's convenient and many people want an easy Jailbreak but this is just too easy to go way beyond Jailbreak.

Apple's not the fastest company on the planet when it comes to patching exploits, unfortunately, but hopefully this spurs them on to newer, faster, action.

In the meantime, if you're sophisticated enough to really examine what you click or tap before you download or activate something, if you know the source of what you've got, where exactly it comes from, and what precisely it's going to do before you use it, you're probably fine. If you're the one who's PC keeps getting infected from Limewire downloads and fring pr0n sites, then start being careful. Don't click or tap on random links, don't go to websites you don't trust.

Everything has a good and bad side. Nothing comes without a cost. Breaking into the root jail of an iPhone or iPad means you've stripped away Apple's signing system and sandbox. That can help you get useful customizations and controls, and it can help bad guys get your information.

UPDATE: There seems to be some confusion in the comments. This exploit is potentially dangerous whether you Jailbreak or not. Web-based, zero-day exploits in the wild are serious. Apple needs to patch it asap.

Technologizer is reporting on the developing story on SMS attacks coming out of today's Black Hat Conference sessions. Seems like while the iPhone is grabbing a lot of attention, almost all GSM phones are said to be vulnerable. Basically, they get around the anti-spoofing security and send data designed to get access and take control of the phone.

On the iPhone specific side, however:

In a final coup for the conference, Lackey and Miras demonstrated an iPhone app they call TAFT which can, at the click of a few buttons, transmit various types of attacks against specific, vulnerable phone models, including iPhones, and phones running the Windows Mobile 5 and pre-”cupcake” Android operating systems.

Vendors, including Apple are working on patching the exploit, though there is still no word which specific models or firmware versions are vulnerable.

More as the story continues to develop.

UPDATE: Some folks are telling is that this is an iPhone 2.2.1 exploit already patched in 3.0. We'll wait for an update from Black Hat before we exhale, however...

Almost a month ago we linked to an Engadget report on Charlie Miller and his SMS exploit for the iPhone. Well, today is the day he intends to show it off at the Black Hat conference.

Thanks to some last minute media attention, however, the general iPhone user base seems to be getting a tad nervous. And rightly so. We've said it before and we'll say it again, in an ideal world, NSA expert come iHacker Charlie, who's claim to current fame is using Mac exploits to win Pwn2own contests and free laptops, would work with companies like Apple and Microsoft (yes, it looks like Windows Mobile has an exploit as well), and those companies would patch the exploits as immediately as possible, before any "research" was publicly disclosed and any bad guys decided to use them as attack vectors.

TiPb will update post-Miller's Black Hack disclosure, and hopefully Apple will roll the security fix into a quick 3.0.2 firmware release, or hurry 3.1 out of the gate.

In an ideal world, Mac and iPhone hacker Charlie Miller would discover vulnerabilities, inform Apple, and Apple would then patch them before they had any chance of being exploited "in the wild".

Miller, however, prefers to keep them to himself so he can win MacBooks and detail them at Black Hat conferences. The good of the hacker obviously outweighs the good of the users, every one. So be it.

Miller's latest iPhone-related find was disclosed at SyScan in Signapore:

a hole that would let attackers "run software code on the phone that is sent by SMS over a mobile operator's network in order to monitor the location of the phone using GPS, turn on the phone's microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet."

Apple, for their part, is hoping to have this patched before Miller's upcoming Black Hat gig.

We hope so too.

[via Engadget. Thanks Travis for the tip!]

Macrumors is quoting Spiegel.dewww. as saying that both a new security flaw has been found in iPhone OS 2.1, and that a patch will be included in iPhone OS 2.2 due to drop... tomorrow?!

[A] newly announced iPhone vulnerability that can force a (potentially expensive) phone call to be made simply by visiting a webpage in Safari... SIT reports that they notified Apple of the issue a month ago and that a fix will become available on November 21st through a firmware upgrade.

We've already run down the other new features rumored to be included in 2.2, so now we just sit by iTunes, hit the Update button, and wait (unless you've jailbroken, then remember to steer clear!)

Last week the UK ruled that Apple was misrepresenting the iPhone's provisioning of "just the internet" due to the lack of support for two ubiquitously popular 3rd party plugins: Flash and Java. We've previously covered the will they/won't they drama surrounding development and deployment of Flash and Java pretty much ad nauseum infinitum, as well as some seldom discussed yet surprisingly frightening concerns about Flash and its downright sneaky use of 3rd party advertising cookies.

More recently, however, another issue has come to light. Primarily concerned with Windows Vista security and how it can be circumvented, this issue throws a renewed focus on the danger of 3rd party plugins like Flash and Java, on how they interpret and run code on our machines, and how they provide an increasingly popular attack vector for bad guys (hackers, malware authors, identity thieves, etc.)

How does this all relate to the iPhone, and what about ZOMG! Can has my Flash vidz? Read on to find out!

Before we begin, I'll just mention again that I'm a long time (10+ years) web developer who works quite a bit with Flash. I'll also add that some coverage of the issues I'm about to get into has tended towards the sensationalistic. The sky is not falling. We're not doomed. Or, at least, not because of anything to do with Flash, Java, or the iPhone.

Caveat'd enough? Good.

Back in early August at the Black Hat conference, Alexander Sotirov and Mark Dowd presented a paper amusingly titled How to Impress Girls with Browser Memory Protection Bypasses. While Vista security proper is beyond the scope of this blog, as Operating Systems like OS X on the iPhone become increasingly hardened against security exploits, the web browser becomes the path of least resistance for hackers to get at us and our stuff.

The iPhone's browser, MobileSafari is currently the closest thing to a desktop-class rendering engine as can be found on a handset. It's based on the same WebKit core as Safari for Mac and Windows, and so it's not unreasonable to imagine it shares the same advantages (real HTML, CSS, and AJAX) and risks (can be exploited). This could potentially include buffer overruns, cross site scripts, and -- yes -- plugin vulnerabilities.

On a recent episode of the TWiT network's popular Security Now! podcast, Steve Gibson summed up the problems with Flash and Java:

Their technologies, especially in the case of Java, Java has, deliberately has readable, writable, and executable memory because of the way it operates. o it's a big target. And so many of these third-party things, which you could pretty much depend upon, you know, Flash player is installed in the high 90 percentile of Windows machines so you can count on it being there.

And what if we could likewise count on their being on the iPhone? What potential problem could that expose?

Certainly after this paper has come out where these guys demonstrate clearly the exploitability of Flash, which is not [Data Execution Prevention] compatible, it's like, okay, Adobe, if you want your code in my machine, you make it safe. Because we've seen a bunch of Flash exploits here in the last few months. And, you know, this wouldn't be possible if Adobe would do the work. I don't care how hard it is, it's certainly possible to code around this [...] Basically this is laziness. In this day and age, for Flash still not to be marked as DEP friendly when it is in a highly vulnerable environment, it's not like it's something down on your tray, it's in your browser. And we know what a target browsers are just by their very nature. I mean, in fact, the whole focus of this paper was specifically browser vulnerability. [...] It is very common applications like Silverlight, like Flash, commonly used components, or even Media Player, that are invokable by the browser and still not yet safe, that is really now the main target of exploitation.

We've already seen MobileSafari exploits in the wild (indeed, a TIFF-based vulnerability was one of the first ways people found to jailbreak the iPhone 1.1.1 -- just by entering a URL in the browser!)

Again, this is not breakworld stuff. No need to panic and lock your handset in a lead box. Future versions of Flash and Java (and similar plugins) will likely address these issues.

Just remember, for now, that the iPhone is tremendously popular, and thus will be a tremendously popular target for hackers. Apple already has to worry about securing the HTML, CSS, AJAX (Javascript), and Quicktime (which they own and can therefore rapidly address) components of Mobile Safari. Add to that the complications of 3rd party code interpreters with a very real history of not only exploits, but (in the case of Flash) for being bloated and buggy on the Mac (another thing Adobe has chosen not yet to prioritize fixing), and it begins to make more sense why we haven't seen Flash or Java on the iPhone, a device that knows who we are (all our date) and where we are (3G aGPS).

But wait, other smartphones run versions of Flash and Java, though, don't they? Sure, but I'd argue that the iPhone isn't really a smartphone, it's a mobile computer. Full darwin kernal, BSD networking -- pretty much a UNIX box in your pocket. To me, that's a far bigger target than Palm OS, the Java Micro Edition inside a Blackberry, and even Windows Mobile (which, despite the name, is a very different animal under the covers than Microsoft's desktop OS).

And isn't there a battle going on for the Rich Internet Application (RIA, aka WebApp) space? You betcha. Google didn't just drop Chrome for no reason. SproutCore, Flash/Air, Silverlight/.Net, Prism, Safari, Java, etc. all want to own what's likely the next major computing platform (the web "cloud").

Bottom-line: Both for Apple and for consumers, the advantages for Flash and Java currently do not outweigh the drawbacks, especially as standard web technologies continue to decrease the gap between proprietary plugin capabilities and the open internet (HTML, CSS, AJAX).

That's my opinion, at least. What's yours?