iOS trojan exploit closed in 5.0.1, all may rest easy

Earlier this week it became apparent that there was an exploitable hole in the app development and distribution process discovered by now-excommunicated coder Charlie Miller – what we're to understand today in the update to iOS 5.0.1 is that this exploit has been completely done away with. The story surrounding this exploit hit the fan when Miller was kicked out of the iOS Developer Program after telling Apple (and the rest of the world) about the issue. Today the story is closed (for everyone but Miller) due to a line of confirmation in the iOS 5.0.1 security update log – so everyone can sit back down and stop tossing hands left and right wildly.

Do be sure to check out that story on Miller and have a chat with him if you will, certainly because there must be more to the story than what's stated if Miller was kicked for doing what he's good at – finding and flagging security holes. But what you, the average user, should note for now is that the hole he discovered in iOS 5 and the App Store is now fixed, or so says the security report. Those of you without the update to iOS 5.0.1 will be receiving the update sometime today (or soon) over the air, or you could alternatively head to iTunes and hit the update button on your Summary screen.

Security holes are what Apple promotes as nearly nonexistent on the iOS Apple mobile operating system and its ultra-curated appstore on iTunes. Have a peek at our [iOS portal] and find how each of the few times the subject comes up, it's a darn big surprise. Have you ever had a security problem with Apple?

This newest fix is noted thusly in the newest update, and DO note how Charlie Miller is noted in the update:

Available for: iOS 3.0 through 5.0 for iPhone 3GS, iPhone 4 and iPhone 4S, iOS 3.1 through 5.0 for iPod touch (3rd generation) and later, iOS 3.2 through 5.0 for iPad, iOS 4.3 through 5.0 for iPad 2

Impact: An application may execute unsigned code

Description: A logic error existed in the mmap system call's checking of valid flag combinations. This issue may lead to a bypass of codesigning checks. This issue does not affect devices running iOS prior to version 4.3.


CVE-2011-3442 : Charlie Miller of Accuvant Labs