Apple released updates yesterday for iOS on the iPhone, iPad, and iPod Touch to patch flaws that were exploited by the JailbreakMe hack. The author of the JailbreakMe hack responded by making the JailbreakMe source code public--providing malicious developers with the tools they need to attack the iPhone or iPad. The race is on to apply the Apple iOS updates before malicious exploits start circulating.
The updates from Apple--iOS 4.0.2 for the iPhone and iPod Touch, and iOS 3.2.2 for the iPad--were developed hastily by Apple in response to the realization that the flaws exploited by the JailbreakMe tool to hack iOS by simply visiting a Web site could also be used for more malicious purposes. If JailbreakMe can bypass security controls and modify the core operating system, then so can other attacks.
Following the release of the iOS updates from Apple, Comex--the author of the JailbreakMe tool--made the source code of JailbreakMe public. The motive for that move seems unclear, because the net result is that even users that hacked their smartphone or tablet using the JailbreakMe tool now have an urgent reason to apply the Apple updates, most likely undoing the jailbreak and reverting to an Apple-managed device.
With the source code in the wild, malicious attacks are likely imminent as other developers work to craft new attacks based on the exploits used in the JailbreakMe tool. Just as with the JailbreakMe tool, attacks could take total control of the iPhone or iPad simply by luring users to visit a malicious Web site or click on a malicious link from a vulnerable device.
Mikko Hypponen, chief research officer for computer security vendor F-Secure, called the exploit impressive and dangerous. He wrote a blog post urging iPhone, iPad, and iPod Touch users to apply the Apple updates. "Although we haven't yet seen malicious attacks via the JailbreakMe vulnerability, we recommend to install the patch right away."
Hypponen goes on to explain that "This does mean that users who have jailbroken their devices and prefer to keep it that way will have to face the increased likelihood of malicious attacks through this vulnerability," adding "We recommend that all iOS users, including those who have jailbroken their devices, would install the latest update now."
Unfortunately for users of first-generation iPhones and iPod Touches, the Apple iOS updates do not apply to those devices. In an ironic twist, though, a patch has been developed by a different jailbreak hack developer. The patch is available through Cydia, so first-generation iPhone and iPod Touch users will first have to jailbreak the device in order to download and apply the update.
IT admins should guard against iPhone or iPad users jailbreaking devices in the first place. But--more importantly--IT admins should require that any iPhones or iPads used in a business environment apply the Apple iOS updates immediately to guard against imminent attacks based on the JailbreakMe exploit.