• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Panic as @comex Releases JailbreakMe Source


    In a move that is sparking hysterical reactions from mainstream journalists and tech bloggers, the Dev-Team's @comex has released the source code of his JailbreakMe "star" exploit, which made use of vulnerabilities recently patched by Apple in iOS versions 4.0.2 and 3.2.2. With pundits calling the public release of @comex's work 'dangerous' and making dire predictions of imminent "attacks," one could wonder why Apple, Inc., which left second generation iPhones and first-generation iPod touches vulnerable in the new release, is being spared from criticism. The only recourse for users of older devices - of course - is to jailbreak.

    JailbreakMe relies on a hole in Mobile Safari that lets @comex's code break out of the "sandbox" and get root on an iOS device. What 4.0.2/3.3.2 did was to patch the CFF hole and block @comex's IOSurface root escalation exploit... for any device that can run those versions of firmware, that is. Any device older than an iPhone 3G or a second-gen iPod touch is still out in the cold. In response, @saurik is working on a patch that will protect jailbroken devices. Until that Cydia package is ready, the tweak that @cdevwill created will pop up an alert if any other code attempts to use a similar exploit.

    Which brings us to @comex's release. Mainstream tech news sites have reacted with shock and dismay, with Computerworld warning of the "evil uses" the now-useless exploit could be put to, darkly claiming that "It may not be long before comex's work is turned into a weapon for attacks that gain "root" access, or complete control, of iPhones and iPads." The article further cluelessly states that "Apple's desktop operating system includes the FreeType font engine." (It doesn't.) PCWorld puts the FUD right up front, in the title of an article posted at 5:40 am: "Malicious Attacks Coming Soon." PCWorld's Tony Bradley also somehow decrees that it's "ironic" that another Dev-Team member is working on a patch for the users that Apple ignored. Is that like rain on your wedding day, or a free ride when you've already paid, Bradley?

    The benefit of open systems to improving security has been clear for some time, at least to experts who don't work at One Infinite Loop. Whitfield Diffie, one of the inventors of of public-key cryptography and the former head of security at Sun Microsystems, calls BS on software makers' claim their code is more secure because it's secret. As Diffie wrote in Risky Business: Keeping Security a Secret, "it's simply unrealistic to depend on secrecy for security in computer software." Until Apple opens its system, the only way to find and fix the vulnerabilities is through the efforts of people like @comex and Charlie Miller. All the hysteria is just a case of blaming the messenger, rather than focusing on the real security problem in iOS: secrecy.
    This article was originally published in forum thread: Panic as @comex Releases JailbreakMe Source started by Paul Daniel Ash View original post
    Comments 66 Comments
    1. skj8100's Avatar
      skj8100 -
      Quote Originally Posted by mole92db View Post
      PDF patch is already out.

      Pic: http://dl.dropbox.com/u/6747848/pdf.png

      Why have Modmyi not reported this yet so more people know about it.
      Probably because they reported on it when the patch was first released days ago......
    1. my1past1is1ur1future's Avatar
      my1past1is1ur1future -
      hey bro how can we install that?
    1. my1past1is1ur1future's Avatar
      my1past1is1ur1future -
      how can i install saurik's PDF Patch
    1. Mzungu's Avatar
      Mzungu -
      COMEX you are a DORK.
    1. IMIX's Avatar
      IMIX -
      The pdf patch is in Cydia, search for it.
    1. gafu's Avatar
      gafu -
      @whereswaldo,sorry,feeding off twitter
    1. LGgeek's Avatar
      LGgeek -
      The open source argument may be well and good but I still think JB community is losing PR war. It seems that is has gone from showing Apple and the world what can be done on an open source platform to "sharp stick in the eye" of Apple. I am sure I will get tons of spears chucked in my direction for questioning JB gods but I always say what I think.
    1. awesomeSlayer's Avatar
      awesomeSlayer -
      I support his decision. God dang you, Apple.
    1. one1's Avatar
      one1 -
      Dear evil doers.. stay off my internets
    1. NozzyEz's Avatar
      NozzyEz -
      I believe this is what we call a Check and a Mate to Apple, either way, they've lost another battle against the whole Jailbreak community as the Dev Team first finds an exploit, uses it to jailbreak while patching the hole up. Apple then responds with a new patch, but leaves a whole generation of idevices behind, Jailbreakers rejoice as the Dev Team develops hotfix for that generation, thus making jailbreaking a must if you value your security on these, and at the same time, gives out the whole exploit so that hackers everywhere around the world can use it for malicious or great purposes, thus forcing Apple into a Death Grip (Pun very much intended). Now Apple HAS GOT TO respond, either with a patch for that generation (Unlikely, as they know they can get into this chokehold in the future, and obviously can't support each and every legacy idevice they'll ever make), or they have to go public with a new stance towards Jailbreaking. Either way this goes, Apple loses and we, my fellow friends and jailbreakers, we've won a major victory on par with the declaration of the legality of Jailbreaking!

      REJOICE I SAY!

      To LGgeek:
      You do have a point, however, it's too early to tell, maybe this is the best choice of weapon right now. I reckon that once these ameteur bloggers gets to vent, and a wider spectrum is observed by actual techsites and journalist, the bad light will fall on Apple, especially if we get a few good interview on sites like Engadget with people like Planetbeing, Comex, Musclenerd etc. etc.
    1. kayvong8's Avatar
      kayvong8 -
      A free ride when you're already late.
    1. havoc0351's Avatar
      havoc0351 -
      Quote Originally Posted by LGgeek View Post
      The open source argument may be well and good but I still think JB community is losing PR war. It seems that is has gone from showing Apple and the world what can be done on an open source platform to "sharp stick in the eye" of Apple. I am sure I will get tons of spears chucked in my direction for questioning JB gods but I always say what I think.
      We're not losing the PR war because of the JB community. We're losing the war because Apple has more money and power to back them in whatever decisions, good or bad, they decide to make.
      Example, the entire antenna shananegon! No one cared and iPhone 4 still in high demand. No iPhone 4's available anywhere, people are furious, claim to hate apple and threaten not to buy their products. Guess what? Apple products still flying off the shelves and in high demand!

      Apple protects them selves too well and can do no harm in PR eyes. But we know better so by releasing these exploits we can help shine a light on apple. Even if it's only a candle light...

      Rant over, :-)
    1. Bluemoldycheeze88's Avatar
      Bluemoldycheeze88 -
      Open is better in some cases.
    1. NozzyEz's Avatar
      NozzyEz -
      Quote Originally Posted by havoc0351 View Post
      We're not losing the PR war because of the JB community. We're losing the war because Apple has more money and power to back them in whatever decisions, good or bad, they decide to make.
      Example, the entire antenna shananegon! No one cared and iPhone 4 still in high demand. No iPhone 4's available anywhere, people are furious, claim to hate apple and threaten not to buy their products. Guess what? Apple products still flying off the shelves and in high demand!

      Apple protects them selves too well and can do no harm in PR eyes. But we know better so by releasing these exploits we can help shine a light on apple. Even if it's only a candle light...

      Rant over, :-)
      Indeed, I do not think we're anywhere near losing though, even with the small fish bad mouthing Comex and yelling 'witch' at him. Do also keep in mind, that it is not in anyone's interest to see Apple fail, we want them kept somewhat in place to prevent things like the antenna issue and their close mindedness, but we also want Apple to suceed, they are the other part of why we love our devices so much... it is kind of a love/hate relationship as a whole, we want them to prosper, but we want them kept on the ground so that the media can keep them in check.

      EDIT: We want them to suceed because, that means they sell more devices, the more devices they sell, the more money they earn, and in turn the more money they make, the better products they can create for us to jailbreak and be happy with...

      it might not be too far off in the future where jailbreaking is no longer needed, and Cydia will be found inside the App Store...
    1. mortopher's Avatar
      mortopher -
      Quote Originally Posted by tremerone View Post
      Oddly enough with the news of no longer "illegal" jailbreaking and unlocking Apple continues to proceed against it and forgetting the more important issues that seem to be common around threads: the "death grip" and proximity sensors. I think for such a big company it's time to face the reality and embrace what is going on and use this a gain/gain opportunity.
      The major issue that a ton of people seem to be ignoring is how on earth Apple could allow this exploit to reside in the os for so long. There has been knowledge of such an exploit for quite a long time now. Hell, they updated Safar on OS X a while ago yet left the same vulnerability wide open in the iOS version of Safari?
    1. NozzyEz's Avatar
      NozzyEz -
      Quote Originally Posted by paganizonda83 View Post
      The major issue that a ton of people seem to be ignoring is how on earth Apple could allow this exploit to reside in the os for so long. There has been knowledge of such an exploit for quite a long time now. Hell, they updated Safar on OS X a while ago yet left the same vulnerability wide open in the iOS version of Safari?
      you sure it was that same exploit?
    1. havoc0351's Avatar
      havoc0351 -
      Quote Originally Posted by NozzyEz View Post
      it might not be too far off in the future where jailbreaking is no longer needed, and Cydia will be found inside the App Store...
      , wishful thinking at it's best. No offense but there is no way it will happen anytime soon. After 4 devices, look at how far or short Apple has come. We just recently were given the ability to copy, paste, multitask (kinda), etc. All things that, at least to me, sound like they should have come in the first place if not with the 3G at least.
      I bet that Apple has already found a way to make everything, available only on Cydia for the moment, work properly on their iPhones. Think about it though. If Apple had released and iPhone that had all those functions to begin with, how many of us would have purchased the next iPhone model. Not nearly enough for Apple to make such a huge profit. To me it's like discovering the cure for cancer with a single pill but selling it as multitreatment cure over the coarse of 2 years. That's how businesses make money...
    1. zozodouce's Avatar
      zozodouce -
      Quote Originally Posted by LGgeek View Post
      The open source argument may be well and good but I still think JB community is losing PR war. It seems that is has gone from showing Apple and the world what can be done on an open source platform to "sharp stick in the eye" of Apple. I am sure I will get tons of spears chucked in my direction for questioning JB gods but I always say what I think.
      pipe it.
    1. NozzyEz's Avatar
      NozzyEz -
      Quote Originally Posted by havoc0351 View Post
      , wishful thinking at it's best. No offense but there is no way it will happen anytime soon. After 4 devices, look at how far or short Apple has come. We just recently were given the ability to copy, paste, multitask (kinda), etc. All things that, at least to me, sound like they should have come in the first place if not with the 3G at least.
      I bet that Apple has already found a way to make everything, available only on Cydia for the moment, work properly on their iPhones. Think about it though. If Apple had released and iPhone that had all those functions to begin with, how many of us would have purchased the next iPhone model. Not nearly enough for Apple to make such a huge profit. To me it's like discovering the cure for cancer with a single pill but selling it as multitreatment cure over the coarse of 2 years. That's how businesses make money...
      of course it is wishful thinking. but look at the rate Apple is losing ground to the Jailbreaking community, at some point I reckon that not only will jailbreaking be legal, but it will be a real choice for any iDevice owner. Obviously, we wont see Cydia in the AppStore any time soon, but you know how people say over exaggeration helps get a point across, and as you saw, it did.

      Personally what I could see happen in the future is where there is no jailbreak, and in your settings app there is simply an option to enable an "Advanced User Mode", however, this option will have to be disabled by default, and in order to enable it you will have to jump through a few hoops saying that software faults are at users risk, and maybe even a passcode the user will have to type in which he would get from either Apple or the Carrier linked to the phone's IMEI. That way theoretically you could make sure the user who really wanted this was more capable if not, since you would have to spend the time to jump through the hoops, hopefully thin out the morons that would break it in 5 seconds from the crowd.

      Anyway, more wishful thinking that is. But you can't help but theorize what the future can hold, especially after the congress ruling on jailbreaking
    1. jih128's Avatar
      jih128 -
      sorry for the stupidity but, i dont understand this. how is what comex released bad? what could it do? and which devices are in danger? all jailbreaks or just ones that used jailbreakme?

      haha im a noob :-P