Apple fixes iOS vulnerability exposed by Charlie Miller

Apple fixes the security vulnerability that was at the center of its decision to dismiss Charlie Miller from the iOS developer program.

Apple has wasted no time fixing the code signing bypass vulnerability exposed by Charlie Miller in the recent disclosure flap that ended with Miller being kicked out of Apple's iOS developer program.

Apple shipped the patch for Miller's vulnerability in the new iOS 5.0.1 software update that also fixes a publicly known passcode lock issue that affected the iPad 2 device.

Despite the controversial decision to dismiss Miller from the iOS developer program, Apple publicly credited the Accuvant security researcher for finding and reporting the kernel security hole.

From the advisory:

follow Ryan Naraine on twitter

A logic error existed in the mmap system call's checking of valid flag combinations. This issue may lead to a bypass of codesigning checks.  This could be exploited to allow an application to execute unsigned code.

After latest iPhone hack, Charlie Miller kicked out of iOS dev program ]

Using a proof-of-concept app that masqueraded as a stock ticker, Miller was able to commandeer an iPhone device via the installed app.

The iOS 5.0.2 update also fixes some additional security problems:

  • CFNetwork: An issue existed in CFNetwork's handling of maliciously crafted URLs. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could navigate to an incorrect server. Visiting a maliciously crafted website may lead to the disclosure of sensitive information.
  • CoreGraphics: Multiple memory corruption issues existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. Viewing a document containing a maliciously crafted font may lead to arbitrary code execution.
  • libinfo: An issue existed in libinfo's handling of DNS name lookups. When resolving a maliciously crafted hostname, libinfo could return an incorrect result. Visiting a maliciously crafted website may lead to the disclosure of sensitive information.
  • Passcode Lock: When a Smart Cover is opened while iPad 2 is confirming power off in the locked state, the iPad does not request a passcode. This allows some access to the iPad, but data protected by Data Protection is inaccessible and apps cannot be launched. A person with physical access to a locked iPad 2 may be able to access some of the user's data.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All