Apple still mum on iOS fix

Lack of patch giving attackers window of opportunity to target iOS users, but security experts note delay due to vendor's efforts to roll out properly-tested, quality fix.
Written by Ellyne Phneah, Contributor

Apple remains vague on when it expects to release a patch for an iOS vulnerability that emerged last week, but at least one security expert said he is hopeful the patch will be "ready sooner rather than later". Despite the absence of exploits to date, users are at risk and should consider a third-party patch, another pointed out.

Last week, Comex released a new version of JailbreakMe.com, which offers users the freedom to use any application they wish--including those not sanctioned by Apple. Following the release, security experts warned that the same vulnerability JailbreakMe.com capitalizes, can also be used by malicious attackers to deliver malware to mobile devices that run on the platform. The hole is tied to the way the mobile version of Safari handles PDF files.

The potential for danger prompted the German government to issue a statement shortly after the jailbreak tool was released, warning users of "critical weaknesses" in the iOS operating system.

In a response to e-mail queries from ZDNet Asia, a Singapore-based Apple spokeswoman provided no further update apart from reiterating an earlier statement from Cupertino. "Apple takes security very seriously, we're aware of this reported issue and developing a fix that will be available to customers in an upcoming software update."

Graham Cluley, senior technology consultant at Sophos, noted in an e-mail interview that Apple is likely to be "working as fast as it can" to roll out the patch. According to him, the delay is caused by "quality control".

"It's better that they take their time and create the patch 'properly' and test that it works and doesn't cause conflicts than rush something out hastily," he pointed out. "Of course, everyone is keen for a fix and we hope it comes as soon as possible--but I am hopeful they will have it ready sooner rather than later."

"Last time this happened it took [Apple] about 10 days to come out with the patch," he added. "Hopefully they'll be able to do it in a similar timescale or better this time."

Cluley had warned last week in a statement sent to media, that the vulnerability allows cybercriminals to "create booby-trapped Web pages", which when accessed by an unsuspecting iPhone, iPod Touch or iPad owner, would run code without the user's permission.

While Guillaume Lovet, senior manager at Fortinet's FortiGuard Labs Threat Response Team, noted there are currently no known attempts to exploit the vulnerabilities, he also said attackers can launch "drive-by attacks" to infect Web-surfing victims with viruses and Trojan horses.

Lovet added that, personally, he would install the third-party patch offered by the developers behind JailbreakMe.com--"in case malicious exploitations of that flaw start to be reported".

Known as PDF Patcher 2, the fix is offered by Dev-Team, of which Comex is a member. However, as it only protects jailbroken phones, users need to jailbreak their devices in order to apply the patch.

"Third party patches like these don't go through extensive QA (quality assurance) phases like official ones, and you always run a risk of glitches after installation," he said. "But there will be people--who would rather have a device that might sometimes be less stable than have a cybercriminal access their contacts, photos, passwords etc.--who will still install it."

The absence of an official solution does not bother all Apple customers. One told ZDNet Asia that he expects Apple to release patch within the next two months. A cause for worry, added economics graduate Lim Kian Hean, would be if someone else had physical access to his jailbroken device as the individual would then be able to retrieve Lim's iTunes password.

Student Rafiq Jalil, however, opined he has "private stuff on my phone, as well as my iTunes and social media passwords and contacts which I don't want to be stolen".

"I hope Apple does something," he said.

More reported vulnerabilities
According to a Symantec whitepaper released on Jun. 28, the company's security researchers have discovered around 200 different vulnerabilities in various versions of the iOS operating system since its initial release.

Most would allow an attacker to control only a single process but a "handful" enabled attackers to take administrator-level control of the device--granting them access to virtually all data and services on the device, Symantec said.

However, Kwee Anping, senior technical consultant at Symantec Singapore, pointed out in an e-mail that the company considers iOS' security model to be well designed and largely resistant to attacks. That said, the platform's provenance approach--one of the five security pillars Apple's iOS is based on--only works for devices that have not been intentionally hacked by their owners. Jailbroken devices, he pointed out, have been the target of at least two computer worm attacks to date.

In addition, under the provenance model, Apple always vets "every single publicly available app" while its code signing model prevents tampering with published apps. "There is no way for a third party to modify or introduce another app--for example, to add improvements to it--without breaking the 'seal' on that app's digital signature."

Graham Titterington, principal analyst at Ovum, noted however that Apple relies on the reputation of the app developer and not the actual analysis of an app, adding that this was "a potential avenue of infection" of devices.

The U.K-based analyst also observed that there are now inherent vulnerabilities on Apple devices. In addition, attackers are finding it is increasingly "worthwhile" to focus their attacks on them, he said in an e-mail. This, he explained, was not the case previously as Apple products were "not as commonly used as Windows devices".

Reconsider antivirus
Apple's walled approach also extends to security software--both Cluley from Sophos and Fortinet's Lovet noted that the company does not allow antivirus in the App Store.

Lovet, who said antivirus would help Apple users in the absence of an official patch, added that Apple may change its policy of shutting out antivirus "if malware exploiting iOS flaws surface".

The vulnerability associated with JailbreakMe.com is not the only security-related headline linked to Apple. Earlier this month, hackvist group Anonymous also announced it managed to hack into Apple's systems and retrieved usernames and passwords. The Apple spokesperson declined to confirm the report.

Editorial standards