Monday, November 22, 2010

Apple's iOS 4.2.1 addresses two iPhone security issues that I found

Apple released iOS 4.2.1 today, which addresses two bugs I found and reported to them.  Their description of the issues are pretty accurate, but I do have some additional comments.  You can check out Apple's description of these bugs at http://support.apple.com/kb/HT1222


Apple has included this text in the description for both bugs:  "An attacker with a privileged network position may...".  I do not agree with this.  We have seen countless demonstrations of data on the internet traveling through networks it is not supposed to because of attacks using BGP, DNS, and other protocols.  I feel like this wording should be reserved for cases where the attacker has to do something more than hijack data over the public internet.  For example, if you must be able to get on some private internal network, like a 10.x network inside the attacker's house, perhaps that is a privileged network position.  I don't think China was in a privileged network position when they (supposedly?) hijacked traffic destined for US websites.


I understand that these attacks are much easier if you are on the local network of the victim.  I just think the days of implying this is the extent of the problem are long over.  It is possible Apple did not intend to imply this -- and I just wanted to make sure I clarified how I see the risk.


1. Photos.app CVE-2010-3831
Using this vulnerability, someone in a "privileged network position" (read: Pretty much anyone on the internet) could hijack your MobileMe password.  Users of MobileMe understand that this is more than just access to your photo album.  While that may be embarrassing, access to your MobileMe provides a ton of services which an attacker would find useful.  I guess webmail is probably a more realistic target.
To be vulnerable, you had to attempt to post an image from your iPhone to your MobileMe Gallery.


2. iAd Content Display CVE-2010-3828
An attacker leveraging this issue could cause an iPhone application that has implemented iAds to automatically FaceTime dial a destination of their choice.  I originally believed this was a lot more severe because applications can run in the background.  However in my testing iAd content was never accessed by applications unless they were frontmost.  Of course, if you leave Safari open and the application can be launched via  a URL handler it may be possible to cause something that was not previously frontmost to trigger a phone call.
I suppose that makes it similar in some respects to the issue Nitesh recently highlighted using Skype as an example when talking about URL handling on the iPhone (link).


I would like to thank Apple's Product Security team for getting these issues addressed quickly and for providing me updates about the status of the issues as they were being addressed.  I just installed the update, which appears to address a ton of other serious issues.  I recommend everyone go install it now.. unless you need to keep your device vulnerable so you can test your exploit modules :)


Aaron