Pwn2Own is a hacking contest which in previous years demanded OS exploits on day one, allowed browser vectors on day two (how OS X was compromised last year — thanks Safari!), and opened the floodgates with 3rd party bugware on day three. First person to successfully hack a machine won it as a prize, along with a nice cash bounty for their troubles.

This year, Ars Technica says Pwn2Own is doing something a little different: they’re bringing in the mobiles!

Apple’s iPhone is front and center on their target list, along with the Google Android G1, and devices from the BlackBerry, Symbian, and Windows Phone families. Pwn the mobile and you not only win it, but $10,000 to boot!

Not a lot of solid info on the rules yet, but we’ll keep a look out. Any white hats out there eager to try their luck?

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Want a Free iPhone and $10,000 Prize? Pwn2Own it!

Forbes.com (via TUAW) is claiming Ziphone jailbreak author Piergiorgio Zambrini has found a way to crash the iPhone (and other computer systems, according to Zambrini’s own website) using specially crafted video files:

The bug Zambrini found is in the audio portion of Apple’s video format. Knowing the bug exists, someone could write a program that incorporates the bug into a video file and trigger a crash whenever an iPhone attempts to run that file. The bug, which is located in a shared code library that is used across most Apple operating systems and some Linux ones as well, doesn’t appear to cause any permanent damage, but immediately sends the device into a panic that leads to a lengthy reboot.

Since it crashed the device and not just the app, one security expert quoted feels it’s a kernal vulnerability that’s been discovered. Zambrini, who paradoxically claims to have both applied for a job with Apple’s security team, and that working for Apple is not his goal, is apparently exploring the vulnerability as a way to inject malicious code.

Lovely.

Howsabout next time we be a little more responsible and keep the information confidential, alerting only the OS makers involved, giving them a reasonable amount of time to patch the problem before we put real world end-users at risk by alerting bad guys to potential exploits, b’okay?

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

ZOMG! Ziphone Dude Crashing iPhones With Malicious Audio Code?

Last week the UK ruled that Apple was misrepresenting the iPhone’s provisioning of “just the internet” due to the lack of support for two ubiquitously popular 3rd party plugins: Flash and Java. We’ve previously covered the will they/won’t they drama surrounding development and deployment of Flash and Java pretty much ad nauseum infinitum, as well as some seldom discussed yet surprisingly frightening concerns about Flash and its downright sneaky use of 3rd party advertising cookies.

More recently, however, another issue has come to light. Primarily concerned with Windows Vista security and how it can be circumvented, this issue throws a renewed focus on the danger of 3rd party plugins like Flash and Java, on how they interpret and run code on our machines, and how they provide an increasingly popular attack vector for bad guys (hackers, malware authors, identity thieves, etc.)

How does this all relate to the iPhone, and what about ZOMG! Can has my Flash vidz? Read on to find out!

Before we begin, I’ll just mention again that I’m a long time (10+ years) web developer who works quite a bit with Flash. I’ll also add that some coverage of the issues I’m about to get into has tended towards the sensationalistic. The sky is not falling. We’re not doomed. Or, at least, not because of anything to do with Flash, Java, or the iPhone.

Caveat’d enough? Good.

Back in early August at the Black Hat conference, Alexander Sotirov and Mark Dowd presented a paper amusingly titled How to Impress Girls with Browser Memory Protection Bypasses. While Vista security proper is beyond the scope of this blog, as Operating Systems like OS X on the iPhone become increasingly hardened against security exploits, the web browser becomes the path of least resistance for hackers to get at us and our stuff.

The iPhone’s browser, MobileSafari is currently the closest thing to a desktop-class rendering engine as can be found on a handset. It’s based on the same WebKit core as Safari for Mac and Windows, and so it’s not unreasonable to imagine it shares the same advantages (real HTML, CSS, and AJAX) and risks (can be exploited). This could potentially include buffer overruns, cross site scripts, and — yes — plugin vulnerabilities.

On a recent episode of the TWiT network’s popular Security Now! podcast, Steve Gibson summed up the problems with Flash and Java:

Their technologies, especially in the case of Java, Java has, deliberately has readable, writable, and executable memory because of the way it operates. o it’s a big target. And so many of these third-party things, which you could pretty much depend upon, you know, Flash player is installed in the high 90 percentile of Windows machines so you can count on it being there.

And what if we could likewise count on their being on the iPhone? What potential problem could that expose?

Certainly after this paper has come out where these guys demonstrate clearly the exploitability of Flash, which is not [Data Execution Prevention] compatible, it’s like, okay, Adobe, if you want your code in my machine, you make it safe. Because we’ve seen a bunch of Flash exploits here in the last few months. And, you know, this wouldn’t be possible if Adobe would do the work. I don’t care how hard it is, it’s certainly possible to code around this [...] Basically this is laziness. In this day and age, for Flash still not to be marked as DEP friendly when it is in a highly vulnerable environment, it’s not like it’s something down on your tray, it’s in your browser. And we know what a target browsers are just by their very nature. I mean, in fact, the whole focus of this paper was specifically browser vulnerability. [...] It is very common applications like Silverlight, like Flash, commonly used components, or even Media Player, that are invokable by the browser and still not yet safe, that is really now the main target of exploitation.

We’ve already seen MobileSafari exploits in the wild (indeed, a TIFF-based vulnerability was one of the first ways people found to jailbreak the iPhone 1.1.1 — just by entering a URL in the browser!)

Again, this is not breakworld stuff. No need to panic and lock your handset in a lead box. Future versions of Flash and Java (and similar plugins) will likely address these issues.

Just remember, for now, that the iPhone is tremendously popular, and thus will be a tremendously popular target for hackers. Apple already has to worry about securing the HTML, CSS, AJAX (Javascript), and Quicktime (which they own and can therefore rapidly address) components of Mobile Safari. Add to that the complications of 3rd party code interpreters with a very real history of not only exploits, but (in the case of Flash) for being bloated and buggy on the Mac (another thing Adobe has chosen not yet to prioritize fixing), and it begins to make more sense why we haven’t seen Flash or Java on the iPhone, a device that knows who we are (all our date) and where we are (3G aGPS).

But wait, other smartphones run versions of Flash and Java, though, don’t they? Sure, but I’d argue that the iPhone isn’t really a smartphone, it’s a mobile computer. Full darwin kernal, BSD networking — pretty much a UNIX box in your pocket. To me, that’s a far bigger target than Palm OS, the Java Micro Edition inside a Blackberry, and even Windows Mobile (which, despite the name, is a very different animal under the covers than Microsoft’s desktop OS).

And isn’t there a battle going on for the Rich Internet Application (RIA, aka WebApp) space? You betcha. Google didn’t just drop Chrome for no reason. SproutCore, Flash/Air, Silverlight/.Net, Prism, Safari, Java, etc. all want to own what’s likely the next major computing platform (the web “cloud”).

Bottom-line: Both for Apple and for consumers, the advantages for Flash and Java currently do not outweigh the drawbacks, especially as standard web technologies continue to decrease the gap between proprietary plugin capabilities and the open internet (HTML, CSS, AJAX).

That’s my opinion, at least. What’s yours?

This is a story by the iPhone Blog. This feed is sponsored by The iPhone Blog Store.

Flash and Java on the iPhone: Video Dream vs. Security Nightmare Redux