Today, two well-known members of the jailbreak community won awards for very different kind of work. Comex, the developer of the well-known JailbreakMe 3.0, has earned an Pwnie Award for discovering such an exploitable vulnerability. George Hotz, the man who first unlocked the original iPhone back in 2007, won a very different kind of prize: read on!
The Pwnie Awards is a new kind of awards ceremony that celebrates the best hackers. In the category for Best Client-Side Bug, attributed to the person who’s managed to exploit a browser vulnerability and made good use of it, Comex won an award for the browser vulnerability that allowed JailbreakMe 3.0 to function. JailbreakMe is an incredibly easy jailbreaking method that works with any iPhone, iPad and iPod touch as long as it’s running iOS 4.3.3 or under. Users simply have to point Safari to the JailbreakMe website and follow the quick on-screen instructions, which mostly involve clicking on a link and waiting a few minutes. You can follow our full step-by step guide on how to perform this here.
The Pwnie Awards blog went to great lengths to explain how this vulnerability works:
Comex exploited a vulnerability in the interpreter for Type 1 font programs in the FreeType library used by MobileSafari. This exploit is a great example of programming a weird machine to exploit a modern system. Comex used his control over the interpreter to construct a highly sophisticated ROP payload at runtime and bypass the ASLR protection in iOS. Furthermore, the ROP payload exploited a kernel vulnerability to execute code in the kernel and disable code-signing.
Although Apple has since then fixed this vulnerability, it will certainly stay in the books as the most well-exploited vulnerability in quite a long time.
Meanwhile, Geohot was able to win an award of his own: an online music award, thanks to a rap he wrote (and sang) about Sony a few months ago. To my surprise, the final result actually doesn’t look that bad at all, although we must warn you that there’s some offensive language on there:
Hotz was sued by Sony earlier this year for “jailbreaking” the PlayStation 3 and allow non-Sony-approved features onto the console. The case was later settled.
For the list of all winners, check out the official Pwnie Awards 2011 page here.