iOS Update Locks the Gate on Evasi0n Jailbreak
Mar 21, 2013 6:00 AM PT
Apple on Wednesday rolled out another update to its iOS operating system: 6.1.3, which clamps down on Evasi0n, one of the most popular iOS jailbreaks.
"The widespread use of this latest jailbreak hack seems to have energized Apple to deliver a fix in relatively short order," Charles King, principal at Pund-IT, told MacNewsWorld.
The update also improves Apple Maps for Japan and fixes other bugs in the OS.
Apple's release of iOS 6.3.1 raises the question of whether the operating system has become less secure.
"The continuing success of the iPhone and iPad suggests that such a response will need to become the rule of thumb for the company," King said.
"Do people consider iOS as secure as BlackBerry or Samsung's new entry with its Knox device?" asked Michael Morgan, a senior analyst at ABI Research. "I do not."
What iOS 6.3.1 Does
The update patches several holes Evasi0n exploited to perform an untethered jailbreak on all iOS devices. These include the latest versions of the iPhone, iPad and iPod Touch.
iOS 6.1.3 also fixes a bug that let people bypass the lock screen passcode and access the iPhone's contacts, voicemail and photos by dialing 911 and then immediately cancelling the call.
Type checking has been improved in iOS 6.1.3 to remedy an invalid cast issue in the handling of scalable vector graphics files. This flaw could unexpectedly terminate an application, or allow arbitrary code execution when a user visited a poisoned website.
Other flaws that were fixed include one that let local users potentially execute arbitrary code in the kernel. The problem was that the driver used pipe object pointers from userspace. Apple's fix is to have iOS 6.1.3 perform additional validation of pipe object pointers.
Once users upgrade to iOS 6.1.3 through iTunes and Software Update, they can't go back to an earlier version of the operating system. Software Update and iTunes will automatically check Apple's update server on its weekly schedule and will download the update. Users can also manually obtain the update through the Check for Updates button within iTunes, or the Software Update feature.
After the update has been downloaded, the option of whether or not to install it will pop up when users next dock their iOS devices. Apple recommends users apply the update immediately. If they opt not to install the update, the option will come up again the next time the iOS device is docked.
The Evasi0n Invasion
Evasi0n, which works on all iPhone, iPod touch, iPad and iPad mini devices running iOS 6.0 through 6.1.2, was launched at the end of January. It was reportedly downloaded almost seven million times in less than a week.
Shortly after Evasi0n rolled out, Apple reportedly updated its article about making unauthorized modifications to iOS devices with a note about the dangers of jailbreaking.
In its release notes for iOS 6.1.3, Apple reportedly credited the creators of Evasi0n, known as the Evad3rs, for uncovering four of the security holes that the update patched.
iOS And The Question of Security
More consumers are bringing their iOS devices into the workplace, and that has focused attention on the security -- or the lack of it -- within Apple's operating system.
"The sheer number of iOS devices and their use in a variety of consumer and business environments makes them sweet targets," King said. "I think the attraction of iOS is in (bank robber) Willie Sutton's 'follow the money' spirit."
It's not that iOS is insecure in and of itself. "The standard security features are there, but iOS as a platform has middle-of-the-road security capabilities," Morgan told MacNewsWorld. "It's not designed to focus around granularity of policy control, enterprise management and a lot of those things."
The frequent updates to iOS 6.1 "secure flaws, meaning loopholes, where a feature is designed to do something, but a hacker turns it on its side and it becomes a security hole," he added. "That's different from managing security efforts that are targeting the enterprise customer."
Apple did not respond to our request to comment for this story.