1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 70
AUGUST 16, 2010
Jailbreaking Tool for Apple Mobile Devices Exploits iOS Vulnerabilities
Being hot items in today’s technology-savvy market, Apple products such as the iPod and iPhone have also become natural targets of malicious
schemes. In fact, TrendLabsSM noted another potential problem that Apple mobile device users may face—jailbreaking. Using the jailbreaking
tool on Apple mobile devices may be harmful, as this exploits a certain iOS vulnerability, which can eventually become a new infection vector for
future Web threats.
The Threat Defined
Days after jailbreaking Apple mobile devices was legalized by the U.S. Copyright Office, a developer known as
“Comex” released a very easy-to-use tool that works on iPhone 4.0, iPhone 3G, and iPod Touch 3G devices,
among others. The tool dubbed JailbreakMe can be downloaded from a site that can be accessed via Mobile Safari.
Jailbreaking allows users to modify the OS of their Apple mobile device, which will, in turn, allow them to install
various non-Apple applications onto their devices. It should be noted, however, that jailbreaking an Apple mobile
device nullifies its warranty.
JailbreakMe Exploits Two iOS Vulnerabilities
JailbreakMe may appeal to Apple mobile device owners who want to run applications
that they cannot otherwise install onto their devices. Using this tool, however, comes
with certain risks. In fact, upon closer inspection, TrendLabs engineers found that
JailbreakMe exploits two vulnerabilities in order to run non-Apple apps on Apple
mobile devices.
The first vulnerability has to do with how Mobile Safari handles .PDF files.
Cybercriminals may distribute specially crafted .PDF files that exploit a program flaw
in Free Type 2, a font engine that opens and processes font files used in PDF readers,
Web browsers, and other applications. This vulnerability has to do with how Free
Type 2 handles some Compact Font Format (CFF) opcodes, which when abused, can
result in stack corruption.
Stack corruption aka stack buffer overflow occurs when a program writes more data
than is actually allocated to a buffer. This almost always results in the corruption of
adjacent data on the stack. Cases wherein an overflow is triggered by mistake often
cause a program to crash or incorrectly operate. This can, in turn, allow arbitrary code
execution on an affected system.
Figure 1. JailbreakMe app
Meanwhile, the second vulnerability is related to an integer overflow that exists in how execution prompt
an affected device handles IOSurface properties.
An integer overflow occurs when a numeric value assigned to a program is larger than the assigned storage space.
This can lead to unintended behaviors such as a buffer overflow. This can then allow cybercriminals to gain the
same system privilege as a device user and run malicious code on an affected mobile device.
Users who download JailbreakMe via Mobile Safari were found to have downloaded a specially crafted .PDF file
(aka TROJ_PIDIEF.HLA) that contains the jailbreaking code instead. The said file exploits a vulnerability in how the
device handles CFF fonts, which can result in memory corruption.
Though the file does not exhibit any malicious payload, it can still be easily used to instigate cybercriminal attacks
targeting iOS devices. In fact, Trend Micro advanced threats researcher Joey Costoya believes that the fact that the
PDF exploit has been made public on the jailbreaking site can allow virtually anyone to create a malicious .PDF file
using the said exploit.
1 of 2 – WEB THREAT SPOTLIGHT
2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
Figure 2. JailbreakMe infection diagram
User Risks and Exposure
There is a high probability that the technique JailbreakMe employed to jailbreak Apple mobile devices will be used
to spread malware, especially as the tool is readily available on the Web. The increasing popularity of Apple mobile
devices among consumers may even turn jailbreaking into a new infection vector for cybercriminal use. To prevent
becoming victims of cybercrime, think twice before downloading any tool off the Internet, as the security risks it
brings may outweigh the rewards. In response to this threat, Apple recently released a security patch to resolve the
aforementioned vulnerability. We thus strongly advise users to immediately update their mobile devices by visiting
this page.
For even better protection, users may download Trend Micro Smart Surfing for iPhone, which blocks access to
malicious sites, including the site where JailbreakMe is hosted.
Trend Micro Solutions and Recommendations
The Trend Micro™ Smart Protection Network™ infrastructure delivers advanced protection from the cloud, blocking
threats in real-time before they reach you. A global network of threat intelligence sensors correlates with email, Web,
and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As the sophistication of
threats, volume of attacks, and number of endpoints rapidly grows, the need for lightweight, comprehensive, and
immediate threat intelligence in the cloud is critical to overall protection against data breaches, damage to business
reputation, and loss of productivity.
In this particular attack, Smart Protection Network’s file reputation technology immediately detects and deletes
malicious files like TROJ_PIDIEF.HLA from infected products. Web reputation technology, on the other hand,
blocks user access to malicious sites from which the malware may be downloaded.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/online-iphone-jailbreak-uses-ios-vulnerabilities/
The virus report is found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PIDIEF.HLA
Other related posts are found here:
http://www.pcworld.com/article/201906/govtapproved_iphone_jailbreaking_wont_help_users.html?tk=rel_newsd
http://www.pcworld.com/article/202335/jailbreaking_an_iphone_is_a_snap_thanks_to_new_website.html
http://www.kb.cert.org/vuls/id/275247
http://en.wikipedia.org/wiki/Stack_buffer_overflow
http://support.apple.com/kb/HT4292
http://support.apple.com/kb/HT4291
http://en.wikipedia.org/wiki/Integer_overflow
2 of 2 – WEB THREAT SPOTLIGHT