iOS 5.0.1 Fixes Charlie Miller’s Code Signing Security Flaw

| News

iOS Security
Apple released iOS 5.0.1 earlier on Thursday, and in addition to addressing the much-hated battery drain issue, the update includes six security fixes. One of those fixes is for a flaw attributed to Charlie Miller, the security researcher Apple recently banned from the company’s developer program.

Mr. Miller drew Apple’s ire when he submitted an app to Apple’s iOS App Store as part of his proof of concept testing for a security flaw he had discovered. That app was approved by Apple, but then Mr. Miller was able to download unsigned code from his own server and then execute that code on his iPhone.

He did all this without Apple’s knowledge, and the company kicked him out of its developer program, despite the fact that the researcher is responsible for finding (and reporting to Apple) many security flaws in Apple’s software over the years.

In any event, that same flaw appears to be one of the ones fixed in this update. Apple’s security patch notes include this entry:

  • Kernel

    Available for: iOS 3.0 through 5.0 for iPhone 3GS, iPhone 4 and iPhone 4S, iOS 3.1 through 5.0 for iPod touch (3rd generation) and later, iOS 3.2 through 5.0 for iPad, iOS 4.3 through 5.0 for iPad 2
    Impact: An application may execute unsigned code
    Description: A logic error existed in the mmap system call’s checking of valid flag combinations. This issue may lead to a bypass of codesigning checks. This issue does not affect devices running iOS prior to version 4.3.

    CVE-ID

    CVE-2011-3442 : Charlie Miller of Accuvant Labs

Other security fixes in this update include:

  • CFNetwork

    Available for: iOS 3.0 through 5.0 for iPhone 3GS, iPhone 4 and iPhone 4S, iOS 3.1 through 5.0 for iPod touch (3rd generation) and later, iOS 3.2 through 5.0 for iPad, iOS 4.3 through 5.0 for iPad 2
    Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information
    Description: An issue existed in CFNetwork’s handling of maliciously crafted URLs. When accessing a maliciously crafted HTTP or HTTPS URL, CFNetwork could navigate to an incorrect server.

    CVE-ID

    CVE-2011-3246 : Erling Ellingsen of Facebook

  • CoreGraphics

    Available for: iOS 3.0 through 5.0 for iPhone 3GS, iPhone 4 and iPhone 4S, iOS 3.1 through 5.0 for iPod touch (3rd generation) and later, iOS 3.2 through 5.0 for iPad, iOS 4.3 through 5.0 for iPad 2
    Impact: Viewing a document containing a maliciously crafted font may lead to arbitrary code execution
    Description: Multiple memory corruption issues existed in FreeType, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font.

    CVE-ID

    CVE-2011-3439 : Apple

  • Data Security

    Available for: iOS 3.0 through 5.0 for iPhone 3GS, iPhone 4 and iPhone 4S, iOS 3.1 through 5.0 for iPod touch (3rd generation) and later, iOS 3.2 through 5.0 for iPad, iOS 4.3 through 5.0 for iPad 2
    Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information
    Description: Two certificate authorities in the list of trusted root certificates have independently issued intermediate certificates to DigiCert Malaysia. DigiCert Malaysia has issued certificates with weak keys that it is unable to revoke. An attacker with a privileged network position could intercept user credentials or other sensitive information intended for a site with a certificate issued by DigiCert Malaysia. This issue is addressed by configuring default system trust settings so that DigiCert Malaysia’s certificates are not trusted. We would like to acknowledge Bruce Morton of Entrust, Inc. for reporting this issue.

  • libinfo

    Available for: iOS 3.0 through 5.0 for iPhone 3GS, iPhone 4 and iPhone 4S, iOS 3.1 through 5.0 for iPod touch (3rd generation) and later, iOS 3.2 through 5.0 for iPad, iOS 4.3 through 5.0 for iPad 2
    Impact: Visiting a maliciously crafted website may lead to the disclosure of sensitive information
    Description: An issue existed in libinfo’s handling of DNS name lookups. When resolving a maliciously crafted hostname, libinfo could return an incorrect result.

    CVE-ID

    CVE-2011-3441 : Erling Ellingsen of Facebook, Per Johansson of Blocket AB

  • Passcode Lock

    Available for: iOS 4.3 through 5.0 for iPad 2
    Impact: A person with physical access to a locked iPad 2 may be able to access some of the user’s data
    Description: When a Smart Cover is opened while iPad 2 is confirming power off in the locked state, the iPad does not request a passcode. This allows some access to the iPad, but data protected by Data Protection is inaccessible and apps cannot be launched.

    CVE-ID

    CVE-2011-3440

 

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

Comments

jbruni

The over-the-air update worked really well.

If you want to poke your iOS device to get the update, go to Settings->General->Software Update.

ilikeimac

Anyone know if this hole was fixed in the 5.0.1 beta? Or is it new for the public release? I don’t know how the timing works out, but if Apple had this fix in the pipeline before Charlie Miller’s stunt, that would indicate his “demonstration” had no effect on the priorities; otherwise, maybe it did. (Either way, he’s got no grounds for complaining; he broke a contract and Apple showed that there’s more than one way to protect against software vulnerabilities.)

archimedes

Charlie Miller seems to enjoy annoying Apple and trying to embarrass the company publicly. On the other hand, he is clearly a fan(boy?) of Apple products and is good at finding security bugs.

Perhaps simply removing the offending app from the App Store would have been enough?

archimedes

If you want to poke your iOS device to get the update, go to Settings->General->Software Update.

Although I knew it was part of iOS 5, I can’t say how shocked I was to actually see “Software Update” on my iDevices after all of these years, and to have it actually work. It’s almost like a real, stand-alone computer! :D

OK Apple, now where’s my auto-update?

Log-in to comment