• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Cydia Package isslfix Fixes SSL Vulnerability For iOS < 4.3.5


    With the release of JailbreakMe 3.0 and Apple's response, iOS has been updated twice in order to patch the JailbreakMe exploit and other vulnerabilities. As mentioned in the iOS 4.3.4 article, updating to iOS 4.3.4 is not recommended as it only fixes the PDF exploit that JailbreakMe used. From there, Apple once again released a new version, 4.3.5, to patch other issues that were found. Although redsn0w is now able to jailbreak both 4.3.4 and 4.3.5, it is also not recommended as you will have to deal with a tethered jailbreak.

    Now: In Apple's current releases, there were things that were patched that were actually "legitimate" fixes (not in response to JailbreakMe 3.0). The problem is, if you're sticking jailbroken, you aren't able to get this security updates without having to upgrade and lose an untethered jailbreak. This issue has now been solved by jan0 (@0naj) who recently released a package called "isslfix" on Cydia.

    In the most basic terms, isslfix patches an SSL vulnerability known as CVE-2011-0228 without having to upgrade to the latest firmwares. All you simply need to do is install isslfix from Cydia and you will have the same protection that the later iOS firmwares offer.

    More detailed information can be found at jan0's GitHub page, along with information on how to check to see if you're vulnerable or not and how to deal with issues if they do arise.

    Read this article from The Recurity Lablog that explains the CVE-2011-0228 vulnerability:

    You have two options to install isslfix:
    • Install isslfix directly off Cydia from the BigBoss repo
    • Install the isslfix .deb file and follow the installation instructions in the Readme on the GitHub page

    Note: Rebooting your device will be required after installation.

    To test and see if you're vulnerable (or if you're protected with this package), visit the following website on your iDevice:

    https://issl.recurity.com/

    If what comes up looks anything like the picture below (showing the HTTPS), you're vulnerable.



    However, if it gives you a warning and a "Continue" screen before viewing the page, that means you're protected.

    Note: The iOS 5 beta already patches this so there is no need to install isslfix on any iOS 5 beta firmware.

    If you wish to read support documents from Apple discussing the different security updates from the firmwares at hand, read below:

    iOS 4.3.4
    iOS 4.3.5

    Keep up to date on information about this new fix by following jan0 on Twitter.

    Source(s): jan0 - GitHub, jan0, Apple, The Recurity Lablog
    This article was originally published in forum thread: Cydia Package isslfix Fixes SSL Vulnerability For iOS < 4.3.5 started by Joshua Tucker View original post
    Comments 41 Comments
    1. mael's Avatar
      mael -
      I installed this and my contact stopped syncing via bluetooth to my car.

      Rebooted several times and the issue continued.

      Deinstalled isslfix and the contacts synced again.

      Anyone else see this issue?

      iPhone 3G[s], iOS 4.3.1 jb with pwnagetool custom firmware.