Apple

Stories related to Apple Computer Inc.

Apple iPhone/iPod Touch/iPad Security Update

Yesterday Apple released a security update that patches the Jailbreakme vulnerabilities to stop people Jailbreaking their Apple devices.

Okay, so maybe I’m looking at this the wrong way around, but it seems that when a vulnerability gets a lot of media attention, Apple work the backsides off to get this one patched. I understand that we are talking serious vulnerabilities here, but still. I’ve personally been in contact with Apple for a couple of months now in regards to a DoS vulnerability that I discovered, and still have no time line on when a patch for this will be released, so maybe all that’s needed is to turn this into some media hype, hmmm.

So the vulnerabilities that this patches are the following:

  • FreeTypeCVE-ID: CVE-2010-1797

    Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

    Impact: Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution

    Description: A stack buffer overflow exists in FreeType’s handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution. This issue is addressed through improved bounds checking.

  • IOSurfaceCVE-ID: CVE-2010-2973

    Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

    Impact: Malicious code running as the user may gain system privileges

    Description: An integer overflow exists in the handling of IOSurface properties, which may allow malicious code running as the user to gain system privileges. This issue is addressed through improved bounds checking.

Safari AutoFill Exploit

So it seems that Safari uses the details from your Address Book to AutoFill forms on web sites, this is enabled by default. In theory this is a great idea, until someone writes some malicious JavaScript to get these details passed to a hidden form without your knowledge. Looking through all the possible available fields in the Apple Address Book app, it really gets quite troubling. Name, Address, Job Title, Department, Anniversary. This could all be used nicely for a really fun Social Engineering exercise, or really help with an identity theft scam.

There is a PoC of this hosted here.

Personally I’d suggest disabling AutoFill in Safari’s preferences, better safe than sorry.

Why Is Paid Responsible Disclosure So Damn Difficult?

So I’ve been sitting on an Apple vulnerability for over a month now, and I’m really starting to realise that maybe just sending the details to the Full-Disclosure mailing list and Exploit-DB.com is the right way to go about disclosing vulnerabilities and exploits.

I initially contacted ZDI to see if they would be at all interested in buying the exploit off of me, as I spent a lot of time researching and finding this one, and I’d like to get something for my efforts. I am a firm believer in the No More Free Bugs movement, I understand and appreciate what ZDI are doing, but the fact that it took them just under a month to get back to me, is really not good enough to be very honest. If they don’t have the researchers, then advertise worldwide, instead of just US only. I know I for one, would be happy validating bugs all day, and this is the the type of work that can be remotely.
Yesterday I also submitted the same information to iDefense Labs Vulnerability Contributor Program (VCP), who claim to get back to me within 48 hours, so we’ll see how that goes. I will update this post as and I when I know more.

I also took the off chance of mailing Apple directly, and asking if they offer any rewards for vulnerabilities that have been found, and if so what they would be. I don’t have high hopes on Apple offering anything, but to be honest, I would prefer to  disclose this one directly to Apple. They however  have paid staff to do this work on a full time basis on all their products, so why aren’t they doing it properly, and I feel that anyone else finding bugs for them, should be compensated appropriately. However, I e-mailed them yesterday and recieved an automated response, so we see how long it takes them to respond to me as well.

This may end up being a rather long post, but let’s see. I’m also expecting to see quite a few interesting comments on this post as well, so come on people.

UPDATE 30/06/2010:

Received a response from iDefense last night,and a request for more info. So just over 24 hour response time, which is brilliant, I’m really impressed so far.

Recieved a response from Apple, and if I would like any reward (aside from credit for the find), then I was informed that I should go through ZDI or iDefense.

iPhone Data Protection

Now that Apple has released IOS 4 there are a couple of funky security features that you can make use of, namely Data Protection and strong passcodes.

“Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages and attachments. Third-party applications can use the data protection APIs in iOS 4 to further protect application data.”

For more information on how to enable this feature, please see the Apple article HT4175.

Stong passcodes means that you can finally do away with the standard 4 digit PIN to lock your iPhone and you can now set up complex passwords instead. To enable this, go into Settings->General->Passcode Lock and then turn off Simple Passcode.