Earlier this week, a security researcher well-known for hacking Apple products said he’d found a kernel bug that let him run unsigned code on iOS devices, bypassing Apple’s protections. Within 72 hours, Apple has fixed that flaw.
Apple released an update to iOS 5 on Nov. 10 for the iPhone, iPod Touch, and iPad to fix a bug that caused the battery to drain and a handful of security bugs, including the flaw discovered by Charlie Miller, a principal research consultant at Accuvant. This would be the first time Apple would distribute an iOS update over the air, so users don’t have to connect directly to a computer to install the patches.
Miller discovered a bug in the iOS kernel which would allow a malicious developer to run unsigned code on the user’s iPhone or iPad. He exploited the bug by creating an app which would phone home to a server and open a remote shell. Miller was able to issue remote commands and perform several tasks on the device. When reports of the exploit were publicized, Apple yanked the app off the iTunes App Store and suspended Miller from the developer program.
“It’s obvious that Charlie Miller really got under the Apple skin. This must be some kind of record; Apple ousted him from the developer program and then patched his bug in record time,” Andrew Storms told eWEEK.
Even knowing how quickly Apple can patch serious security flaws, the turnaround was “surprising,” Storms said. The company had to address this problem immediately because it “struck a serious blow at the ‘halo of safety'” that surrounded the iTunes App Store, according to Storms.
The bug, and the fact that Miller was able to get an app past Apple’s review process and into the App Store, showed the platform wasn’t immune to some of the problems Google has had with malicious apps appearing on the Android Market. The fact that Apple reviewed each app was supposed to prevent dangerous apps from slipping in.
“Charlie’s critical flaw definitely has the potential to eat away at the trust Apple has carefully developed with users, partners and developers,” Storms said.
The battery problem was one of the first problems uncovered after Apple released iOS 5 in October. Almost immediately, users complained about the battery life plummeting after upgrading their devices to Apple. The company maintained its silence during the entire time users were complaining, before acknowledging “a software problem” and promising a patch. In the advisory, Apple did not give any details. “Fixes bugs affecting battery life,” the company said in the advisory.
Apple also fixed two security flaws, discovered by Facebook’s Erling Ellingsen, which could have disclosed personal data on iOS devices if the user had visited a malicious Website, the advisory said. The issue in CFNetwork could be exploited through a maliciously crafted URL, causing CFNetwork to navigate to an incorrect server, according to the advisory. The other issue was in libinfo and how it handled Domain Name Server (DNS) lookups and could have been exploited with a maliciously crafted hostname, Apple said.
The CoreGraphics bug exposed users to arbitrary code execution if they viewed a document containing a maliciously crafted font. The flaw involved multiple memory corruption issues in FreeType, according to Apple. The company also revoked DigiCert Malaysia certificates after recent reports that the certificate authority had been compromised.
Apple also fixed a problem with Passcode Lock which allowed a person with physical access to a locked iPad 2 to still be able to access user data. “When a Smart Cover is opened while iPad 2 is confirming power off in the locked state, the iPad does not request a passcode,” Apple said.
Apple also fixed problems with documents stored in iCloud, improved voice recognition capabilities for users with Australian accents and added multi-tasking gestures to the original iPad.