With the release of iOS 6.1.3, Apple has also dropped a security note that details the bugs and issues patched in this version. The note credits the discovery of four of the six bugs fixed to evad3rs, the team behind the evasi0n jailbreak.
By its very nature, the process of jailbreaking iPhones requires that iOS be flawed. These flaws, sometimes called vulnerabilities or bugs, are used by the jailbreaking teams to open up the system partition of the iPhone and to allow users to install applications outside of the App Store.
While many of the vulnerabilities leveraged by jailbreakers are not necessarily major threats to user security, there have been times (like the Jailbreakme PDF exploit) where they pose an exploitable risk. This is a commonly overlooked aspect of jailbreaking, which many say gives them back the freedom to play with every aspect of their devices. That’s true, but it’s worth remembering that this freedom comes at the price of leaving around un-patched bugs which make iOS less secure.
Which means that Apple isn’t likely to leave those bugs sitting around for too long (though it has at times) after jailbreaking teams take advantage of them. But it also doesn’t have to give those same teams credit for finding the bugs which they then exploit to craft jailbreak tools like evasi0n.
But that’s just what they’ve done in the security note released today and pointed out by iPhone Dev Team member Musclenerd.
The four bugs credited to evad3rs are as follows:
Impact: A local user may be able to execute unsigned code
Description: A state management issue existed in the handling of
Mach-O executable files with overlapping segments. This issue was
addressed by refusing to load an executable with overlapping
Impact: A local user may be able to determine the address of
structures in the kernel
Description: An information disclosure issue existed in the ARM
prefetch abort handler. This issue was addressed by panicking if the
prefetch abort handler is not being called from an abort context.
Impact: A local user may be able to change permissions on arbitrary
Description: When restoring from backup, lockdownd changed
permissions on certain files even if the path to the file included a
symbolic link. This issue was addressed by not changing permissions
on any file with a symlink in its path.
Impact: A local user may be able to execute arbitrary code in the
Description: The IOUSBDeviceFamily driver used pipe object pointers
that came from userspace. This issue was addressed by performing
additional validation of pipe object pointers.
There are also two other bugs credited to researchers. The Passcode Lock issue, credited to Christopher Heffley of theMedium.ca, which Apple says was due to a logic issue which existed in the handling of emergency calls from the lock screen. This issue was addressed through improved lock state management. And a bug in WebKit which allowed for app termination or code execution credited to Nils and Jon from MWR Labs working with HP TippingPoint’s Zero Day Initiative.