So the big news from the iPhone world has been the re-emergence of the iPhone jailbreak web site. A group has packed a web page with all the components needed to remove the software protections from an iPhone 4 handset.

Good news if you're a fan of unlocked iPhones waiting for an iOS 4 hack, but probably not welcome news at Apple (though a recent ruling has protected jailbreaking)

In the end, however, this is something that should benefit everyone, at least on the security front.

You see, these sort of web-based jailbreak techniques require a point of entry from which a page can automatically access the inner-workings of a handset and install new code. In other words, a remote code vulnerability.

In this case, researchers are exploiting a vulnerability in the handling of PDF files.The page takes advantage of the vulnerability to install the jailbreak tools. In the process, the vulnerability is publicly brought to light, something that is both good and bad for all iPhone users.

On one hand, the researchers are disclosing a "zero day" flaw for which there is not yet a patch. Many security vendors and experts argue against such disclosures, advising researchers to contact the company privately and only disclose a flaw after a patch is available.

On the other hand, a quiet disclosure wasn't really an option here, as the unpatched vulnerability is necessary for the procedure. And because this vulnerability was disclosed in such a public manner, Apple has no doubt already begun work on an update.

It may not be the safest way to disclose a flaw, but in the long run all iPhone users will be a bit safer thanks to the developers in the iphone dev team.

04 Aug 2010