It affects the iPhone 5, which is coming out tomorrow, not to mention all the other iDevices that can run iOS 6. I'm sure Apple will have it patched soon enough.
Not only that but we don't know how long the security hole has been there for. I've been running iOS 6 for months now, wouldn't be surprised if these guys did the same thing in preparation.
? What does the size of the deployment have to do with being able to find a bug? It's not like they went searching through millions of slightly different copies of safari to find the broken one.
"We really wanted to see how much time it would take a motivated attacker to do a clean attack against your iPhone. For me, that was the motivation. The easy part was finding the WebKit zero-day."
If finding the exploit was the easy part I'm curious what the hard part was.
Also, Apple should be incentivizing and supporting hackers more directly. It shouldn't have to take a (thankfully) white-hat hacker conference to get bugs like this fixed.
Well... maybe I'm being too hyperbolic. But, I am under the impression that Safari is still the default handler for http things. So, links from the mail app or maps will open in Safari. I don't think it's that outrageous to suggest that malicious links have ever been sent via email.
We can all sit here on HN and say that you shouldn't just go around clicking on everything that arrives in your inbox, but phishing is still something that banks deal with.
I wonder if this exploit can be used to jailbreak Iphone 5, untethered at least.. some previous, user-friendly online jailbreaks used .pdf vulnerabilities in Safari, but I am not sure if they used it with a combination of another privelege escalation exploit..
14 comments
[ 2.8 ms ] story [ 36.0 ms ] threadIf finding the exploit was the easy part I'm curious what the hard part was.
Also, Apple should be incentivizing and supporting hackers more directly. It shouldn't have to take a (thankfully) white-hat hacker conference to get bugs like this fixed.
1) Upgrade to a newer version of iOS to patch the exploit, and suffer a major functionality regression with regard to maps.
2) Not upgrade and risk having all the personal information on the phone stolen by a malicious website.
We can all sit here on HN and say that you shouldn't just go around clicking on everything that arrives in your inbox, but phishing is still something that banks deal with.