• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Cydia Package isslfix Fixes SSL Vulnerability For iOS < 4.3.5


    With the release of JailbreakMe 3.0 and Apple's response, iOS has been updated twice in order to patch the JailbreakMe exploit and other vulnerabilities. As mentioned in the iOS 4.3.4 article, updating to iOS 4.3.4 is not recommended as it only fixes the PDF exploit that JailbreakMe used. From there, Apple once again released a new version, 4.3.5, to patch other issues that were found. Although redsn0w is now able to jailbreak both 4.3.4 and 4.3.5, it is also not recommended as you will have to deal with a tethered jailbreak.

    Now: In Apple's current releases, there were things that were patched that were actually "legitimate" fixes (not in response to JailbreakMe 3.0). The problem is, if you're sticking jailbroken, you aren't able to get this security updates without having to upgrade and lose an untethered jailbreak. This issue has now been solved by jan0 (@0naj) who recently released a package called "isslfix" on Cydia.

    In the most basic terms, isslfix patches an SSL vulnerability known as CVE-2011-0228 without having to upgrade to the latest firmwares. All you simply need to do is install isslfix from Cydia and you will have the same protection that the later iOS firmwares offer.

    More detailed information can be found at jan0's GitHub page, along with information on how to check to see if you're vulnerable or not and how to deal with issues if they do arise.

    Read this article from The Recurity Lablog that explains the CVE-2011-0228 vulnerability:

    You have two options to install isslfix:
    • Install isslfix directly off Cydia from the BigBoss repo
    • Install the isslfix .deb file and follow the installation instructions in the Readme on the GitHub page

    Note: Rebooting your device will be required after installation.

    To test and see if you're vulnerable (or if you're protected with this package), visit the following website on your iDevice:

    https://issl.recurity.com/

    If what comes up looks anything like the picture below (showing the HTTPS), you're vulnerable.



    However, if it gives you a warning and a "Continue" screen before viewing the page, that means you're protected.

    Note: The iOS 5 beta already patches this so there is no need to install isslfix on any iOS 5 beta firmware.

    If you wish to read support documents from Apple discussing the different security updates from the firmwares at hand, read below:

    iOS 4.3.4
    iOS 4.3.5

    Keep up to date on information about this new fix by following jan0 on Twitter.

    Source(s): jan0 - GitHub, jan0, Apple, The Recurity Lablog
    This article was originally published in forum thread: Cydia Package isslfix Fixes SSL Vulnerability For iOS < 4.3.5 started by Joshua Tucker View original post
    Comments 41 Comments
    1. xclusiveiphone's Avatar
      xclusiveiphone -
      Quote Originally Posted by Mista Brothason View Post
      What about PDF patcher 2
      Yes, the PDF patcher 2 was originally made to block the exploit use by jailbreakme.com. Even if you didn't use jailbreakme.com (i.e. greenpois0n or redsn0w) to jailbreak your device, I would install it anyways to be safe because I'm paranoid like that .
    1. halitbaci's Avatar
      halitbaci -
      hi There - i could not find app in cydia altough bigboss repo is installed. can anyone write down the exact name f app tfor me to search on cydia
    1. eddietah's Avatar
      eddietah -
      On 4.2.1 just install thru bigboss in cydia thanks for sharing this
    1. mr117's Avatar
      mr117 -
      When I installed this on my i4 and rebooted, it came back in SafeMode. I rebooted again and now it seems fine. FYI.
    1. Spiru's Avatar
      Spiru -
      It broke my unlock (Gevey/FuriousMod), this happen to anyone else?

      EDIT: After deleting and reinstalling, it works.
    1. likedamaster's Avatar
      likedamaster -
      How bout iPhone 2G? What... come back to the 21st century? You guys are mean.
    1. Mysterion's Avatar
      Mysterion -
      So this untether jailbreaks an iPhone 4 on 4.2.9/4.2.10/4.3.4/4.3.5 if it is currently tethered jailbroken?
    1. raduga's Avatar
      raduga -
      Quote Originally Posted by Mysterion View Post
      So this untether jailbreaks an iPhone 4 on 4.2.9/4.2.10/4.3.4/4.3.5 if it is currently tethered jailbroken?
      what?
    1. Mysterion's Avatar
      Mysterion -
      Quote Originally Posted by raduga View Post
      what?
      Does this make a tethered jailbreak into a untether jailbreak?
    1. Joshua Tucker's Avatar
      Joshua Tucker -
      Quote Originally Posted by Mysterion View Post
      Does this make a tethered jailbreak into a untether jailbreak?
      No it does not. This is strictly a security fix that patches holes you can't patch unless you're on iOS 4.3.5. However, if you're on iOS 4.3.5, you will either have to be stock iOS or on a tethered jailbreak.
    1. Bogusman63's Avatar
      Bogusman63 -
      This topic is very helpful I'm on 4.2.1 and went to the test site and found to vulnerable . Installed fix and tested again all went well . Hope I did the right thing
    1. chris52204's Avatar
      chris52204 -
      I get a "forbidden you do not have permission to access this" message when I go to this site
    1. chad daddy's Avatar
      chad daddy -
      This work for ipad2?
    1. kschong710's Avatar
      kschong710 -
      Quote Originally Posted by chad daddy View Post
      This work for ipad2?
      I already done it with my iPad 2 wifi.fine
    1. Endscrypt's Avatar
      Endscrypt -
      Quote Originally Posted by ronw View Post
      Wierd cuz I'm experiencing the same issue. I checked that page first to confirm I was volnerable then installed which forced reboot but still get page wo it asking to continue or not



      Nm, cleared history and closed old page and it worked fine
      Had the same prob ooops
    1. smuggler's Avatar
      smuggler -
      Quote Originally Posted by Hosko817 View Post
      can somebody explain this in plain English if this is a necessary fix and why?
      wow, cause your vulnerable to attacks, it says it in in the title

      Quote Originally Posted by Mysterion View Post
      Does this make a tethered jailbreak into a untether jailbreak?
      haha
    1. smuggler's Avatar
      smuggler -
      Safari can't open the page for me
    1. iamkeishasarah's Avatar
      iamkeishasarah -
      Quote Originally Posted by Spiru View Post
      It broke my unlock (Gevey/FuriousMod), this happen to anyone else?

      EDIT: After deleting and reinstalling, it works.

      What do you mean? It locked ur phone? im new to this stuff and im using gevey to unlock my phone.. Lately i've been thinking to jailbreak it because i want to change my keyboard color, but I fear jailbreaking my phone will lock my phone back making gevey useless. My firmware is 4.10.01 and iOS 4.3.5
    1. n0m0n's Avatar
      n0m0n -
      Quote Originally Posted by wohhey View Post
      Someone can hack your iDevice? I think it´s recommended to install this fix if you are on iOS 4.3.3 and jailbroken.
      What about for the CDMA iPhones? 4.2.8.
      Is this needed as well?

      Thanks
    1. ZappoB's Avatar
      ZappoB -
      Quote Originally Posted by halitbaci View Post
      hi There - i could not find app in cydia altough bigboss repo is installed. can anyone write down the exact name f app tfor me to search on cydia
      The same for me, too - I could find nothing in Cydia what relies to this fix. Any other source needed?