updated 08:40 pm EDT, Tue March 19, 2013
New updates patches six exploits, breaks evasi0n jailbreak
In closing six potential exploits in the security-oriented iOS 6.1.3 update released earlier today -- and simultaneously breaking compatibility with the evasi0n jailbreak -- Apple has acknowledged the contributions of the Evad3rs team behind the jailbreak with finding four of the six flaws that, in the wrong hands, could have lead to an increased risk of malware rather than just a path to unofficial apps and customizing. Though the jailbreak hack no longer works, the team suggest that other flaws still exist.
Though jailbreaking itself is not illegal, Apple has a vested interest in discouraging the practice, as it requires hackers to find exploits in iOS that can be used to inject potentially-dangerous (and often unstable) new system code. On the other hand, the hackers -- who do the tedious research to find the exploits for free in order to further their jailbreaking aims -- are not generally malicious, and ironically help the company uncover and fix flaws that could have otherwise been found and exploited by those intent on stealing data or compromising device security.
Though Apple will continue to close exploits as it finds them and thus play a cat-and-mouse game with exploit researchers, the acknowledgement in the security notes on iOS 6.1.3 shows the company is willing to credit those who help it close potentially-dangerous flaws -- even if Apple doesn't fully approve of what they're unofficial nature. The iPhone maker has also taken to hiring security researchers behind iOS hacks as consultants to help harden iOS for enterprise use and general security improvements.
The Evasi0n jailbreak proved exceptionally popular among iPhone users, having been downloaded millions of times during the first week of availability. While most jailbreakers simply want to customize their system more than Apple permits or take advantage of a specific feature -- such as unofficial tethering -- not allowed in App Store-approved apps, some do use the jailbreak process to attempt to download pirated copies of paid apps, which also introduces a high risk of malware or even viruses that could leverage the compromised codebase. Apple must walk a line that keeps researchers interested in helping the company find and close flaws, while still taking steps to discourage abuse of jailbreaking due to security and app piracy concerns.
The other two exploits patched by Apple covered a complex but reproducible method of bypassing the iOS lock screen by taking advantage of a flaw in the way the iPhone handles emergency calls, and a WebKit bug in Mobile Safari. These were credited to a Canadian researcher and a team working with HP TippingPoint's Zero Day Initiative, respectively. One of the Evad3rs team, David Wang, is quoted by AppleInsider as saying there may be enough remaining flaws discovered by the team to make a new version of the evasi0n jailbreak possible, but could not commit to anything for certain.