Feeds

Apple kills code-signing bug that threatened iPhone users

Hacker who discovered it remains excommunicated

Protecting against web application threats using SSL

Apple has patched a serious bug in iPhones and iPads that allowed attackers to embed secret payloads in iTunes App Store offerings that were never approved during the official submission process.

Charlie Miller, who is principal research consultant at security firm Accuvant, was kicked out of the iOS developer program on Tuesday after demonstrating the danger posed by the weakness. The InstaStock title that he wrote and was accepted into the app store in September billed itself as nothing more than a program to track the share prices of publicly traded companies. But behind the scenes, it bypassed protections built into iOS devices that prevent code from running on them, unless it's signed by Apple's official cryptographic seal.

As a result, InstaStock allowed Miller, who is the other coauthor of The Mac Hacker's Handbook, to surreptitiously spy on anyone who installed the app. Just hours after he disclosed the secret functionality – and the bug that made it possible – Apple excommunicated him from the developer program, making him ineligible to test the security of new products before they are released to the public.

On Thursday, about 48 hours after Miller exposed the threat, Apple said it had closed the security hole in iOS 5.0.1.

“A logic error existed in the mmap system call's checking of valid flag combinations,” the advisory said. “This issue may lead to a bypass of codesigning checks.” The threat had existed since the release of iOS 4.3.

Code signing represents a significant barrier to getting malicious apps on iPhones and iPads that haven't been jailbroken. It prevents code from running on the devices unless it has been digitally signed by Apple officials, and it also stops developers from modifying the app after the fact. It is perhaps the single biggest security distinction between iOS and Google's rival Android operating system.

Miller was able to circumvent code signing after he discovered an exception that was introduced in iOS 4.3 that, for the first time, created a small region in iPhones and iPads where unsigned code downloaded from the internet could be executed. The exception was designed to improve the performance of Safari by allowing it to do just-in-time compiling.

Thursday's iOS update also includes fixes for at least four other security threats, including a flaw that allowed locked iPad 2 devices to be opened without entering a passcode. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.