Apple security engineers may have breathed a sigh of relief after issuing a security update Wednesday to plug some holes in the iPhone iOS, but now it's time to take a deep breath and hope people install the update.
Comex, the developer of JailbreakMe 2.0, released source code for the now infamous hacks that take advantage of two vulnerabilities in iOS. Beyond voiding the warranty by using the software to jailbreak the iPhone, the code release opens the door for hackers to dump malicious payloads that take complete control of the iPhone, iPad and iPod touch.
The saving grace is that hackers need a social-engineering scam. Apple product users would have to willfully visit a malicious web site or click on a link in an e-mail or text message to allow hackers access to the device.
How dangerous is this new exploit? Mikko Hypponen, chief research officer at F-Secure, called it "impressive" and "dangerous" in a Twitter post.
The vulnerability can potentially be exploited by hackers to run malicious code on an iPhone, iPad or iPod touch, according to Graham Cluley, a senior security consultant at Sophos.
That, he said, means that if you visit a booby-trapped web site from an unpatched iPhone, you could be infected with malware.
"Equally, malicious hackers could send you spam which exploits the vulnerability -- again infecting your Apple gizmo with malware," Cluley said. "The danger is compounded because the code to exploit the vulnerability has been published openly on the web, making it trivial for hackers to exploit."
Hackers Target Apple
Although Apple for many years escaped most of the hacker wrath, the company has been the target of high-profile attacks in recent years. Both Macs and iPhones have had attacks.
"We do see malware attacks against the Mac -- in fact, much more than we've seen against the iPhone," Cluley said. "For instance, this week's headlines about the Zeus banking malware included claims that approximately 4,000 Macs were infected alongside the many, many thousands of Windows PCs."
Of course, Windows-based machines are still the hacker's primary target. And Android is seeing its share of hits on smartphones. Kaspersky Labs this week reported the first SMS-based malware attacks on mobile phones running Google's Android operating system.
Patch it Fast!
For the iPhone, there is only one response for users who don't want to see their device turned into a mule: "Install the patch right away," Cluley said. "Doing anything less is foolhardy in the extreme and puts your iPhone, iPad, iPod touch at risk of attack."
Even users who have jailbroken the iPhone are advised to install the update. The bad news is that Apple did not include a fix for the first-generation iPhone or iPod touch -- the update only covers the iPhone 3GS or later running iOS 2.0 or later -- leaving older devices open to possible infiltration by hackers.
Posted: 2010-08-12 @ 12:08pm PT
I imagine the iPads are also vulnerable?