• Your favorite








    , and
  • Panic as @comex Releases JailbreakMe Source

    In a move that is sparking hysterical reactions from mainstream journalists and tech bloggers, the Dev-Team's @comex has released the source code of his JailbreakMe "star" exploit, which made use of vulnerabilities recently patched by Apple in iOS versions 4.0.2 and 3.2.2. With pundits calling the public release of @comex's work 'dangerous' and making dire predictions of imminent "attacks," one could wonder why Apple, Inc., which left second generation iPhones and first-generation iPod touches vulnerable in the new release, is being spared from criticism. The only recourse for users of older devices - of course - is to jailbreak.

    JailbreakMe relies on a hole in Mobile Safari that lets @comex's code break out of the "sandbox" and get root on an iOS device. What 4.0.2/3.3.2 did was to patch the CFF hole and block @comex's IOSurface root escalation exploit... for any device that can run those versions of firmware, that is. Any device older than an iPhone 3G or a second-gen iPod touch is still out in the cold. In response, @saurik is working on a patch that will protect jailbroken devices. Until that Cydia package is ready, the tweak that @cdevwill created will pop up an alert if any other code attempts to use a similar exploit.

    Which brings us to @comex's release. Mainstream tech news sites have reacted with shock and dismay, with Computerworld warning of the "evil uses" the now-useless exploit could be put to, darkly claiming that "It may not be long before comex's work is turned into a weapon for attacks that gain "root" access, or complete control, of iPhones and iPads." The article further cluelessly states that "Apple's desktop operating system includes the FreeType font engine." (It doesn't.) PCWorld puts the FUD right up front, in the title of an article posted at 5:40 am: "Malicious Attacks Coming Soon." PCWorld's Tony Bradley also somehow decrees that it's "ironic" that another Dev-Team member is working on a patch for the users that Apple ignored. Is that like rain on your wedding day, or a free ride when you've already paid, Bradley?

    The benefit of open systems to improving security has been clear for some time, at least to experts who don't work at One Infinite Loop. Whitfield Diffie, one of the inventors of of public-key cryptography and the former head of security at Sun Microsystems, calls BS on software makers' claim their code is more secure because it's secret. As Diffie wrote in Risky Business: Keeping Security a Secret, "it's simply unrealistic to depend on secrecy for security in computer software." Until Apple opens its system, the only way to find and fix the vulnerabilities is through the efforts of people like @comex and Charlie Miller. All the hysteria is just a case of blaming the messenger, rather than focusing on the real security problem in iOS: secrecy.
    This article was originally published in forum thread: Panic as @comex Releases JailbreakMe Source started by Paul Daniel Ash View original post
    Comments 66 Comments
    1. ambo's Avatar
      ambo -
      I support comex's decision. Open is better
    1. zoomspeed05's Avatar
      zoomspeed05 -
    1. jordbrett's Avatar
      jordbrett -
      I'm sure he has his reasons for releasing it.
    1. tremerone's Avatar
      tremerone -
      Isn't this what it has been from the beginning?! Exposing the weaknesses and creating freedom! I admit the bad (or should I say wrong) press is still press nonetheless and definitely should put another kink into the chain that is Apple. Oddly enough with the news of no longer "illegal" jailbreaking and unlocking Apple continues to proceed against it and forgetting the more important issues that seem to be common around threads: the "death grip" and proximity sensors. I think for such a big company it's time to face the reality and embrace what is going on and use this a gain/gain opportunity.
    1. l3olsa's Avatar
      l3olsa -
      So are we safe to jailbreak in Any danger?
    1. EddieLeonard's Avatar
      EddieLeonard -
      what i cant see if it apple have patched it safari wouldnt emailing the pdf and opening it work and also syncing the pdf to ibooks????
    1. gafu's Avatar
      gafu -
      Apple left an open hole,@comex screwed the hole and is telling/letting people how....Kinda saying "let's all screw Apple"
    1. corkey20000's Avatar
      corkey20000 -
      Locking my front door as we speak.
    1. itaintrite's Avatar
      itaintrite -
      Jailbreak users are safe as long as they install saurik's PDF Patch.
    1. dsg's Avatar
      dsg -
      Saurik has release the PDF-Patch it's up on Cydia
    1. Dizi's Avatar
      Dizi -
      OMFG we're ALL going to MF'n DIE!

    1. mole92db's Avatar
      mole92db -
      PDF patch is already out.

      Pic: http://dl.dropbox.com/u/6747848/pdf.png

      Why have Modmyi not reported this yet so more people know about it.
    1. santacruzlocal's Avatar
      santacruzlocal -
      Put the women and children to bed and lets go looking for dinner !!! I support his decision ..
    1. reeko's Avatar
      reeko -
      Everytime a jailbreak is released, it is achieved through a flaw in iOS which let's the user/hacker obtain root access, which would be described as a security flaw in iOS.
    1. Repins's Avatar
      Repins -
      Open is Def better!!!
    1. oakland6980's Avatar
      oakland6980 -
      Quote Originally Posted by rpgpromaster View Post
      what i cant see if it apple have patched it safari wouldnt emailing the pdf and opening it work and also syncing the pdf to ibooks????
      its a hole in safari how it handles PDF not really PDFs themself..
    1. CaptainChaos's Avatar
      CaptainChaos -
      This is what Apple gets for being lazy.
    1. chrizskizzle's Avatar
      chrizskizzle -

      Hey, security/antivirus companies: JailbreakMe exploits the browser, but it's /not/ malicious. Block actual bad sites, kthx.
    1. whereswaldo's Avatar
      whereswaldo -
      Why are we calling him @comex? This isn't Twitter
    1. Jahooba's Avatar
      Jahooba -
      Well, as we all know, tech blogs aren't anything if not reactionary. It's big money in hits and advertising to be the quickest with the story.

      This is like a nerd's soap opera; people are very interested in this kind of stuff, but what suffers is the quality of the initial reports. Usually a week or two after the report will you find good, reasoned commentary on any tech subject, as the professionals chime in.