February 3, 2013 not only marks the start of Super Bowl Sunday, it could also signify the arrival of a new untethered iOS jailbreak.

A newly formed hacking group, going by the name of evad3rs, is reportedly close to completing their latest iOS 6.1 jailbreak. More importantly this jailbreak works on the A5 and A6 chip architectures in the latest flagship iOS devices. 

Previous reports claimed that the group held back releasing the jailbreak in the knowledge that Apple would soon release the long awaited iOS 6.1 update that surfaced on Monday. The group has also stated that publishing the exploit earlier would allow Apple to develop a patch to counter-act their efforts. So, immediately after the iOS 6.1 release, some four and a half months after the original iOS 6 release, the group has said that they are ready.

Websense® Security Labs™ has seen companies try to use previous iOS device jailbreak activities in the corporate environment, with download and usage of redsn0w and absinthe hacks. In addition to these common tools, download of unauthorized iOS Apps outside of iTunes has also been very active. Websense ThreatSeeker® Network has shown the Bring Your Own Device (BYOD) phenomenon is alive and kicking in modern work places.

In the coming days, Websense Security Labs will keep a close eye on further developments with this new jailbreak.

[Update]

The 'evasi0n" jailbreak has been released overnight and made available to the public along with several download mirrors. The popularity has exceeded many of the mirror's account bandwidth limits causing slow and failed downloads. The jailbreak, namely evasi0n version 1.0, came as a standalone tool where you simply set and forget. It takes just a few minutes the iOS devices to be jailbroken.

Furthermore, Websense Security Labs has also located an increasing of newly registered websites taking on similar names as evasi0n.  Our Websense ACE (Advanced Classification Engine) analytics are treating them with appropriate suspicion.

Websense customers are protected by Websense ACE (Advanced Classification Engine).

The recent advent of flashback malware that includes exploit code for CVE-2012-0507 has been creating waves and quickly adopted by various other attackers as Websense® Security Labs™ has shown. This blog post detail some of the aspects of CVE-2012-0507 and how this exploit has been used in the wild.

The Java code first starts with the excerpt below:

The string "sobj" contains a stream of characters that trigger the vulnerability and force Java to render something which it usually wouldn't be allowed to. The string "8BCA ..." is obfuscated with an XOR key of 0x27 shown below:

After this string is de-obfuscated, it looks something like the image below:

We compared the exploit code used in the flashback campaign (above) with another instance in the wild that surfaced recently. Apparently, the attacker is using the exploit code provided by the metasploit framework.

The only difference between the flashback exploit code and the one used by metasploit is the bytecode array, where one is a signed byte array while the other is unsigned, as revealed below:

In our flashback sample, the string that triggers the vulnerability is "XOR-ed" with 0x27, while the string seen in the metasploit sample uses a signed byte array.

Lastly, the payload used by the flashback malware is a dropped Mach-O binary executable, while the metasploit exploit opens a listening TCP port shell pipe depending on what operating system the victim is on (This highlights the beauty of a design flaw as opposed to a vulnerability that corrupts memory). The code excerpt is shown below:

 Websense security solutions protect users from these kinds of exploits.

We in Websense® Security Labs™ have been following the developments of the Flashback trojan for Mac that has infected over 600,000 Apple computers worldwide. The number of infected computers seems to be dropping steadily now and will continue to do so as Apple yesterday released a removal tool as part of their Software Update:

We recommend that all Apple users install this software update as soon as possible.

Flashback itself has been around since last year, but the number of infections really increased after it was used in drive-by download attacks using CVE-2012-0507, a vulnerability in Java. This marks the first time that Mac users are under the same threat that Windows users have been for years; it's enough to visit a website to get compromised.

Websense customers are protected against all known variants of the Flashback trojan, and we also have real-time coverage in place for the traffic between the malware and the command and control servers. And that's the benefit of having a gateway product that can inspect content in real time: Data is data, regardless of what the endpoint is (Windows, OS X, iOS, Android, etc.).

Jailbreakme.com version 3 went public yesterday and offers, again, a simple way to jailbreak an iOS device. And it's very, very simple. In fact, in our testing the jailbreak doesn't take more than 20 seconds from start to finish and works flawlessly. It doesn't crash your browser, and it even looks and feels like a regular App Store installation. Very slick but also very dangerous.

The reason it's dangerous is that it works like a drive-by download (but requires user interaction), similar to the ones we see used attacking Windows PCs every day through vulnerabilities and exploit kits. What happens when you click on "Free" -> "Install" on the jailbreakme.com website is that your browser downloads a PDF file that triggers a vulnerability in how the built-in PDF reader handles a certain Font type which in turn installs the actual jailbreak.

This isn't the first time we've seen a jailbreak like this for iOS. In fact, jailbreakme.com was used in August 2010 to do exactly the same thing, again with a PDF file. We didn't see any malicious use of this attack despite the source code being made available, but will it be different this time? It wouldn't be hard for a malicious attacker to reverse engineer how the jailbreak works and create something similar that doesn't require the user to click on "Free" -> "Install" and silently installs malicious code on your iOS device, either through the browser or via an email attachment. If this were created, an attacker could gain full control of your device and install everything from a keylogger to a full-blown bot. Or what about forwarding all mails to a third-party email address? The regular iOS sandbox won't be protecting your device, and since iOS is a variant of Unix, anything is possible.

We hope that Apple will release an updated firmware to fix this vulnerability and not wait for iOS5 to fix it. On a side note, I made a bet with @mikkohypponen on how long it will take Apple to release the patch. My guess is less than 10 days, Mikko thinks in 5 days. What do our readers think, how long will it take Apple to release the patch?