November 7, 2011

Apple’s iOS Javascript Browser Tweak Hacked

John Brownlee, writing for Cult of Mac:

“In order to increase the speed of iOS’s browser, Apple allows javascript code from the internet to run on a much deeper level in system memory than it had previous to iOS 4.3. This speed increase effectively creates an exception in which the browser can run unapproved code in a region of the device’s memory. All Miller’s hack does is exchange that exception to apps.”

Gruber highlighted this sort of security vulnerability when he wrote about the Nitro Javascript engine in iOS 4.3:

“The real answer is about security. Perhaps the biggest reason for Nitro’s performance improvements over WebKit’s previous JavaScript engine is the use of a JIT — “Just-In-Time” compilation. Here’s Wikipedia’s page on JIT. A JIT requires the ability to mark memory pages in RAM as executable, but, iOS, as a security measure, does not allow pages in memory to be marked as executable. This is a significant and serious security policy. Most modern operating systems do allow pages in memory to be marked as executable — including Mac OS X, Windows, and (I believe) Android1. iOS 4.3 makes an exception to this policy, but the exception is specifically limited to Mobile Safari.”

[emphasis mine]

Nailed it again, John.