digg

Facebook Connect Join Digg About

Jailbreak hackers FIX iPhone's Mobile Safari TIFF exploit hole!!!

tuaw.com — Apple needs to send them chocolate and roses--and job offers. Not only does the team jailbreak your phone, add Installer.app and fix YouTube, but they also repair patch Safari's TIFF exploit hole. Yes, you read that right. These amazing hackers have done Apple a huge favor and fixed the very same exploit they used to jailbreak.

Who dugg this? Made popular Oct 29, 2007

Add a friend

submitted by

SillyMamma Oct 29, 2007

1459 diggs
digg

81 Comments

geminitojanus, on 10/31/2007, -3/+77It's not actually that huge of news. For example, virus authors (think: bot net) will often close a hole behind themselves as to not "set off authorities"; the system looks patched from an eye-in-the-sky inspection, but upon closer look, you can tell that there is actually a virus running.

It's not an incredibly hard thing to do once you've got root on the machine, and it's almost expected behavior these days (prevents the same machine from being infected twice, prevents someone from taking over your bot by re-exploiting it, etc).
dys2k7, on 10/30/2007, -2/+55Not surprising at all. The first thing a hacker always does is closing the door he used.
inactive, on 10/30/2007, -12/+53But But But I thought Apple software had NO exploits????
KibibyteBrain, on 11/04/2007, -2/+41They didn't do apple a favor, this is totally humiliating to Cuppertino if anything. This is even worse PR than when security firms release zero day patches for MS exploits before MS even acknowledges them. I have a feeling Steve Jobs might be taking up Chair Tossing lessons from Balmer if stuff like this continues!
rstgood, on 10/30/2007, -2/+38somehow I doubt that Steve Jobs will thank them, after all fixing the bug means voiding you warranty still
keyme, on 10/30/2007, -0/+15It makes sense to do so. I mean, they patched the OS though a web page. That is NOT GOOD in terms of security...
phoomp, on 10/30/2007, -2/+17You mean, put the hole back?
Firehed, on 11/04/2007, -1/+11You don't seem to get this... the exploit hacks your phone automatically then closes the exploit it used behind itself.
Firehed, on 10/30/2007, -1/+11Not really. Technically speaking, it's no different than any other website using the same exploit and doing the same thing - this one just happens to be useful. You could end up browsing any page with the same exploit.
iceperson, on 10/30/2007, -0/+9This makes me wonder if Apple could actually void the hardware warranty for users who visit any website that uses this exploit to do something other than jailbreak.
jcblitz, on 10/30/2007, -12/+21For example, virus authors (think: bot net) will often close a hole behind themselves as to not "set off authorities";

Some times they do it so they won't lose the box to other people using the same exploit.
Firehed, on 10/30/2007, -1/+9It'll matter if Apple hasn't patched the actual exploit by then. The iPhone hackers used it for good, but someone could just as easily do some trickery with the same exploit that bricks your phone or does something generally unpleasant. Hell, it could install something that looks like Installer than when you run it pulls an "rm -rf /".
neodorian, on 10/29/2007, -1/+9Not sure what you're getting at here.
sholt, on 10/30/2007, -1/+8Because arbitrary code injection exploits are cool?

I'm still waiting for someone to use this as a starting point for a self-replicating worm, seeing how MobileMail auto-opens image attachments, including TIFFs. It'd be "I LOVE YOU" all over again.
dvdrtrgn, on 10/30/2007, -2/+8Then you are a fool. It's "Mac" OS X that has no exploits... jk
chris9902, on 10/29/2007, -0/+6http://digg.com/tech_news/Leopard_Hacked_Install_L ...
iChainsaw, on 10/30/2007, -0/+6why is mac in quotes? am i missing something?
mrmacky, on 10/30/2007, -0/+5The iPhone is quoted to run on OS X, not Mac OS X.
SniperX, on 10/30/2007, -0/+5that's what he said already...

"prevents someone from taking over your bot by re-exploiting it"
directive0, on 11/04/2007, -1/+5then you should probably have your main olfactory system examined.
iChainsaw, on 10/29/2007, -0/+4are you retarded?
luma, on 10/29/2007, -0/+3That's precisely the problem, and that's what this hack also fixes. The issue is a buffer overrun in libtiff (that has been known about on other platforms for ages). Assuming that they are patching the library itself, this should prevent users from exposure to any such worm regardless of where it's encountered on the patched iPhone.

For those of you who are choosing _not_ to hack your iPhone (and thus remain vulnerable) - good luck!
petard, on 10/30/2007, -0/+3SO! Who wants to go to an Apple store and do this?
Me1000, on 11/05/2007, -0/+2no, you dont get either of them! it went right over your head!
graiz, on 10/29/2007, -0/+2I'm not able to get 3rd party apps to run using this tool. Apps install and seem to launch then quickly crash. Anyone else seeing this?
graiz, on 10/29/2007, -0/+2Found a solution... You need to install BSD sources to get many of the apps to work properly. (Not sure why this isn't listed as a requirement)
formerssgtusmc, on 10/29/2007, -0/+2I agree...what I meant was all of the hubbub over Jailbreaking and developing apps
sholt, on 10/30/2007, -0/+1so...wait, you're trying to SCARE people into hacking their phone?

...what an asshat.
Me1000, on 10/30/2007, -1/+2This is a pretty kick ass "Web App"
chris9902, on 10/30/2007, -0/+1A patch will come out. It did for every release of tiger.
bs0l, on 11/05/2007, -0/+1Touché.
shampoovta, on 10/30/2007, -1/+2"zombies iPhones" makes a funny picture in my head. Happy Halloween!
dimplemonkey, on 10/29/2007, -1/+2I think he thinks that viruses can only get on the PCs that sync up to iPhone and not Macs. Sorry, DiggLive, root access means everyone's invited to the party. Thankfully, these dudes were altruistic in their endeavors.
stutimandal, on 10/30/2007, -1/+2over9000: Apple software has no exploits ONLY for the fanboys :)

Rest of the world got to know 56 critical security bugs in Safari right on the day when it was released for Windows.
rasbill, on 10/29/2007, -0/+1point taken, but maybe apple hasnt fixed it yet, i mean seems like a pretty big hole, and they could have released a patch right after they fixed it thru itunes, but they havent so i have to assume that they didnt know how to fix it, or they have there updates on some type of timetable, but even if they did, why wait to release a fix for such a bad problem
linoth, on 10/30/2007, -2/+3Correct me if I'm wrong, but wasn't it a TIFF flaw that led to the original PSP firmware exploit? Anyone else get the feeling that the TIFF format is your best friend?
inactive, on 10/30/2007, -0/+1Hey Steve put that in your blunt and smoke it!
tmalloy, on 10/30/2007, -0/+1I'm not sure if you need community sources or not but you might as well install it. In Installer.app go to the sources directory and install community sources. Then under the system directory, install BSD Subsystem.
bs0l, on 10/30/2007, -1/+2I don't think Steve Jobs will thank them because by fixing the bug you'd be voiding your warranty.
DaviDaviDaviD, on 10/29/2007, -0/+1Yep I found this as well buddy. I think you have to install the BSD which like an idiot I didn't install last time I was in a WiFi hotspot!
linoth, on 10/30/2007, -2/+3My bad, did my own research on that. TIFF led to the 2.0 downgrade exploit. Still :)
solidus636, on 10/29/2007, -0/+1What if you have AMD?
shampoovta, on 10/29/2007, -0/+1Cool tatts but that is exactly why I will never get a tattoo. Every one of them should be getting $ paid $ for that ad or sued for copyright infring,...God, has it come to that. You know what! Stop the world I want to get off.
Me1000, on 10/29/2007, -0/+1That ad was referring to Viruses, this is not a virus!
inactive, on 10/30/2007, -0/+1i would laugh so hard i would probably pee my pants if i saw a hacked iphone in an apple store.
bradkovach, on 10/30/2007, -0/+1A british joke? I see what you did there.
beardedfish, on 10/31/2007, -0/+1This just shows how naive us general Mac users can be. We don't have tons of experience with hackers, other than tweaking the OS and whatnot, so we assume that a favor was done. Don't worry, we'll catch up eventually.
allanmacaulay, on 10/30/2007, -1/+1(noob question) how is it that we do that?
aggemam, on 10/29/2007, -1/+1It might be a reference to this ad:
http://www.apple.com/movies/us/apple/getamac_ads1/ ...
in which "PCs, not Macs" is said.
dimplemonkey, on 10/29/2007, -1/+1too bad no one put up a bounty to get these guys paid. We Apple fanboys are spoiled.
Show 51 - 78 of 78 discussions
Add a Comment

Login or register to comment!
Or, sign-in super fast with your Facebook account ...

Site Links: Home; Take a Tour; Search Digg; Digg Mobile; RSS Feeds; Popular Archive

Help: Frequent Questions; How Digg Works; Report a Website Bug

All About Digg: About Us; Contact Us; Community Guidelines; The Digg Blog; Digg Townhalls & Meetups; Jobs at Digg; Advertise on Digg; Diggnation Podcast

Digg Store: Get hats, shirts, hoodies, stickers, and more at the Digg Store.

Digg Tools & API: All Digg Tools; DiggBar Tools; Firefox Toolbar; Twitter Feeds; Add Digg to Google; Netvibes Widget; Integrate Digg Buttons; Digg Badges; Make a Digg Widget; API for Developers

Digg Dialogg!: Digg Dialogg lets you choose the questions.

Digg Labs: Get a real-time view beneath the surface of Digg.; Digg Labs Home; Arc, Swarm, Stack, Bigspy, Pics

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.