• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Panic as @comex Releases JailbreakMe Source


    In a move that is sparking hysterical reactions from mainstream journalists and tech bloggers, the Dev-Team's @comex has released the source code of his JailbreakMe "star" exploit, which made use of vulnerabilities recently patched by Apple in iOS versions 4.0.2 and 3.2.2. With pundits calling the public release of @comex's work 'dangerous' and making dire predictions of imminent "attacks," one could wonder why Apple, Inc., which left second generation iPhones and first-generation iPod touches vulnerable in the new release, is being spared from criticism. The only recourse for users of older devices - of course - is to jailbreak.

    JailbreakMe relies on a hole in Mobile Safari that lets @comex's code break out of the "sandbox" and get root on an iOS device. What 4.0.2/3.3.2 did was to patch the CFF hole and block @comex's IOSurface root escalation exploit... for any device that can run those versions of firmware, that is. Any device older than an iPhone 3G or a second-gen iPod touch is still out in the cold. In response, @saurik is working on a patch that will protect jailbroken devices. Until that Cydia package is ready, the tweak that @cdevwill created will pop up an alert if any other code attempts to use a similar exploit.

    Which brings us to @comex's release. Mainstream tech news sites have reacted with shock and dismay, with Computerworld warning of the "evil uses" the now-useless exploit could be put to, darkly claiming that "It may not be long before comex's work is turned into a weapon for attacks that gain "root" access, or complete control, of iPhones and iPads." The article further cluelessly states that "Apple's desktop operating system includes the FreeType font engine." (It doesn't.) PCWorld puts the FUD right up front, in the title of an article posted at 5:40 am: "Malicious Attacks Coming Soon." PCWorld's Tony Bradley also somehow decrees that it's "ironic" that another Dev-Team member is working on a patch for the users that Apple ignored. Is that like rain on your wedding day, or a free ride when you've already paid, Bradley?

    The benefit of open systems to improving security has been clear for some time, at least to experts who don't work at One Infinite Loop. Whitfield Diffie, one of the inventors of of public-key cryptography and the former head of security at Sun Microsystems, calls BS on software makers' claim their code is more secure because it's secret. As Diffie wrote in Risky Business: Keeping Security a Secret, "it's simply unrealistic to depend on secrecy for security in computer software." Until Apple opens its system, the only way to find and fix the vulnerabilities is through the efforts of people like @comex and Charlie Miller. All the hysteria is just a case of blaming the messenger, rather than focusing on the real security problem in iOS: secrecy.
    This article was originally published in forum thread: Panic as @comex Releases JailbreakMe Source started by Paul Daniel Ash View original post
    Comments 66 Comments
    1. M4tt Dam0n's Avatar
      M4tt Dam0n -
      Soo true. The more people working and knowing = easier to find bugs/holes.
    1. NozzyEz's Avatar
      NozzyEz -
      Quote Originally Posted by jih128 View Post
      sorry for the stupidity but, i dont understand this. how is what comex released bad? what could it do? and which devices are in danger? all jailbreaks or just ones that used jailbreakme?

      haha im a noob :-P
      What Comex has released is the source code to jailbreak that demonstrates how to exploit a whole that can give you root acess (The God in the System), with complete and utter root access, someone with malicious intent, can do everything to your phone or get any information stored on your device, including cookies and what not without you even ever knowing it. Or can brick the phone remotely, making permanent damage. The list goes on, theoretically at least. This is a hole that is in the mobile safari browser in each and every device up to and including iOS 4.0.1, 4.0.2 fixes this hole. The hole is very serious though, so this is why people seem to think that Comex releasing his source code is a bad thing, when indeed it is not, quite the contrary I reckon
    1. wrcsti's Avatar
      wrcsti -
      Dont know why he did it but as long as we get a patch its ok.
    1. havoc0351's Avatar
      havoc0351 -
      Quote Originally Posted by wrcsti View Post
      Dont know why he did it but as long as we get a patch its ok.
      My theory is, along with what others have mentioned, that he wanted to put Apple in the spotlight on this issue for all to see. It will show how the JB community takes care of it's own and isn't full of hackers and evil doers like everyone is made to believe by Apple. This would also shine a light on Apples negligence with its own OS throughout the years. The ball is in Apples court now... we're the good guys people!
    1. didithu's Avatar
      didithu -
      Open source is better in the Apple's case. Bravo @Saurik.
    1. PWNsyst3m's Avatar
      PWNsyst3m -
      Wow, people are way too paranoid now days.
    1. iPhoneThereforeIAm's Avatar
      iPhoneThereforeIAm -
      Releasing code ultimately helps Apple devs patch security holes they've missed - and forces them into securing iOS for non-JB'ers ASAP.
      How can protecting both the JB and non-JB's alike possibly be a bad thing ?

      Apple and their PR cohorts should be thanking the JB devs, not castigating them.
    1. Tyronal's Avatar
      Tyronal -
      Quote Originally Posted by rpgpromaster View Post
      what i cant see if it apple have patched it safari wouldnt emailing the pdf and opening it work and also syncing the pdf to ibooks????
      The exploit only worked in mobile safari. It was dressed up as font packages read inside safari to gain root access. It won't work any other way.
    1. darkrom's Avatar
      darkrom -
      I'm sure he's releasing it just to create the need for Apple to patch the security holes in the older devices as well.

      How's that for everyone who uses Apple products. They are sending a message loud and clear...they will NOT continue to support their own products and they don't care about the users. All they want is you to buy the newest version...which they will stop supporting soon enough after you do.
    1. Tyronal's Avatar
      Tyronal -
      Quote Originally Posted by darkrom View Post
      How's that for everyone who uses Apple products. They are sending a message loud and clear...they will NOT continue to support their own products and they don't care about the users. All they want is you to buy the newest version...which they will stop supporting soon enough after you do.
      So when microsuck dropped support for xp and will do with vista, what do you call that? Xp users are open to all the vulnerabilities because of all the explorer holes that haven't been patched when support was dropped. Same with adobe and flash. Latest version doesn't support older devices. Get over yourself, it's called business, they all do it.

      So to use your rationale, "Microsoft and Adobe are sending a message loud and clear... they will NOT continue to support their own products and don't care about their users. All they want is you to buy the newest version...which they will stop supporting soon enough after you do." Sounds stupid ay. Yeah, I thought so. Take your whacking stick and, well you obviously have a regular spot to position it somewhere.
    1. KartRacer's Avatar
      KartRacer -
      ^

      You obviously forget that XP is almost ten years old and Service pack 3 was release about two years ago. The original iPhone and the 3G aren't nearly as old and this is a known exploit that can completely take over your phone and they are completely ignoring their users and the people that are being raked over the coals for making this public are the ones being blamed. There is ZERO reasons Apple couldn't patch this in an update, they actively choose not to in favor of you buying another product that was just as vulnerable.
    1. Tyronal's Avatar
      Tyronal -
      Quote Originally Posted by KartRacer View Post
      ^
      There is ZERO reasons Apple couldn't patch this in an update, they actively choose not to in favor of you buying another product that was just as vulnerable.
      So you were in the room when they decided that?

      So you agree on dropping support for some products and not other products. How is a 3 year old phone any different than xp os 2 years ago? It was totally up to date then, not ten years old!

      Gee, for a mac boy you sure know quite a bit about microsuck. Not a troll are you?

      Palm did the same thing when they went to windows mobile os and left us devout users in the crapper. So I went elsewhere. I don't use flash for linux because they treat us like lepers, refuse to patch a 3 year old vulnerability and leave our systems open to a whole world of malware. They have one code writer to write for linux. Who can I cry to about that little gem?

      My provider gives incentives to upgrade phones at the end of each contract, they even offered to buy out 50% of my remaining contract to upgrade to iphone4.

      So the facts are, as technology marches on at a pace a normal guy would find hard to follow, it is an inevitability. But people cry anyway. Thing is, I don't wana hear it over and over. It is what it is, so get over it, or get something else. I keep reading over and over how evil apple are and how jobs is a thief and fanboys are zombies. My question to those people, WHY BUY THE DAMN THING????? Some people just love to complain and bash, why do I have to read it? I come here for information, news and valued opinion, but lately it's just wall to wall bashing. I'm sure there are forums for apple bashing, go, enjoy. I'm over this infantile stupid apple/pc hate war.
    1. KartRacer's Avatar
      KartRacer -
      I wasn't in the room but I know for a fact that Apple has shunned users for the sole purpose to get them to buy a new product. That's it. They've done it before with hardware. I'm not complaining about it, I'm just saying it's easily fixed and there isn't a viable reason to not patch something so simple. I didn't mean it to be a one versus another thing, just that it boggles the mind they wouldn't add a simple change to fix it.
    1. Tyronal's Avatar
      Tyronal -
      Quote Originally Posted by KartRacer View Post
      I wasn't in the room but I know for a fact that Apple has shunned users for the sole purpose to get them to buy a new product. That's it. They've done it before with hardware.
      Wonderful. Great, I'd love to read your facts. Post them here and we can all read them. You know the difference between facts and here say don't you?

      Wow this is ground breaking news. Why haven't you come forward before with your facts and exposed apple? This will be a scoop for modmyi. I eagerly await your expose on apple.......... And knowing this you STILL use a mac???? (It is listed in your info) Incredible.

      Messany, get your pen out.
    1. PWNsyst3m's Avatar
      PWNsyst3m -
      Corporations will be corporations.

      And why are you so angry sir? Lol.
    1. Tyronal's Avatar
      Tyronal -
      Quote Originally Posted by PWNsyst3m View Post
      Corporations will be corporations.

      And why are you so angry sir? Lol.
      I gather that's a question for me.

      Not angry more just fed up with people bashing products either because they don't like the company or they don't understand them. I enjoy these great forums, but they seem to be hijacked by those with an agenda looking for a free whack. I've been in business for over 24 years and know the value of a good product and a good corporate name. It takes a lot of hard work to earn that. And when you become big and people see you as a threat some try and bring you down, even though they don't know you, understand you or even in some instances, use your product. They do it for no apparent reason. I don't have any moral objection to anything apple does. They make credible products and they try to serve all masters. Customers, companies they have licence agreements with and shareholders. I agree, corporations will be corporations. some bad, some no so bad and some good. I don't think apple are a bad or evil company. It would be good if the top 100 corporations innovated with foresight the way apple do. Lets look ahead a little and see what we can create. I have an iPhone. That's it. It's a really good phone for me. I've used apple computers over the years in the work place as well as numerous pc's. I personally enjoy linux. Just me. But when people say "I know for a fact apple kills babies" or something ridiculously stupid like that other guy, "I know for a fact that Apple has shunned users for the sole purpose to get them to buy a new product", I question their agenda and ask for facts (100% of the time there aren't any). Why do they want to tear down the name of a company like that? Because they hate the company philosophy or the guy at the apple store looked like a jerk or that steve jobs is jewish? I don't know. I've been there and it's bloody unfair when others do that while you try your best to please everyone. It's just wrong. If they don't like the product, then don't buy it. I've never put a gun to anyones head to buy my products. Some here seem to act like they have had a gun put to their head and forced to buy apple.

      These are forums for things apple, I believe that's what it says on the banner. I come here to read and inform myself on things that relate to me. My phone, and I try and share my knowledge on relative things. This site stands as one of the best for that. Why there are these ever increasing anti apple people here, (unless there is a hidden agenda with them) I can't understand. Be open, be honest, cut the crap, declare your interests and we can get on with it. That's all I'm asking. If not, I will question anything suss. Take nothing as a given and question everything.
    1. mortopher's Avatar
      mortopher -
      Quote Originally Posted by Tyronal View Post
      Wonderful. Great, I'd love to read your facts. Post them here and we can all read them. You know the difference between facts and here say don't you?

      Wow this is ground breaking news. Why haven't you come forward before with your facts and exposed apple? This will be a scoop for modmyi. I eagerly await your expose on apple.......... And knowing this you STILL use a mac???? (It is listed in your info) Incredible.

      Messany, get your pen out.
      You do know the difference between "here say" and "hearsay," don't you?

      Chill out.
    1. ro0oney's Avatar
      ro0oney -
      jailbreakMe has been widely known, didn't see it coming
    1. Tyronal's Avatar
      Tyronal -
      Quote Originally Posted by paganizonda83 View Post
      You do know the difference between "here say" and "hearsay," don't you?

      Chill out.
      (clap,clap,clap) Must have taken you a whole hour to think of that witty retort. Don't overload yourself dude, you might get an aneurism, or is that aneurysm? You can get back to me on that. I didn't know modmyi had an inbuilt spell checker. It's called paganizonda83. And you tell me to chill, piffle.

      Funny that guy never got back to me with the "facts". Hmmm. Pardon me for trying to wade through the BS here.
    1. rhekt's Avatar
      rhekt -
      @Comex just widely exposed the exploit. This caused it to get patched. And now it's fixed. In a round about way he fixed the vulnerability.