As it turns out, a new point and click jailbreaking tool, also exposes a previously unknown flaw in iOS that could expose the tens of millions of Apple iOS users to the risk of a malicious drive-by attack.
"The site, jailbreakme.com, exploits an iOS vulnerability to run unauthorised code on Apple customers' iPhones and iPads, including the new iPad 2," Graham Cluley of security firm Sophos wrote in a blog post. "In this way they allow users to unlock their devices, and run programs that have not been approved by the official AppStore."
The risk is that the same iOS vulnerability that jailbreakme uses, could also potentially be leveraged by an attacker, as well. A malicious website could be created and then when an iOS user visits the website the could unknowingly become exploited. Currently, there are no approved antivirus apps in the AppStore for iOS, so there is no immediate fix available.https://o1.qnsr.com/log/p.gif?;n=203;c=204660770;s=9477;x=7936;f=201812281321530;u=j;z=TIMESTAMP;a=20396194;e=iAccording to a report from the Associated Press, Apple is aware of the issue and is currently working on a fix the problem.
The process of jailbreaking a phone is not illegal in the U.S. and the author of the jailbreakme site claims that he's not promoting exploits either.
"Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable," the jailbreakme FAQ states. "Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."
The new zero day flaw also highlights the overall risk to iOS users from jailbreaking their phones in the first place according to at least one mobile secure vendor.
"Jailbroken devices become excellent hosts for mobile botnets," Tom Kellermann, CTO of AirPatrol Corp told InternetNews.com. "Organizations must practice continuous monitoring of smart phones and dynamically manage their behaviors based on location so as to best manage mobile risk and the digital insider."
"Mobile botnets will be the bane of cybersecurity professionals in 2011," Kellermann added.