This Unix internals person cringed at
"it uses a Unix trick called a shebang that can summon up code from another, signed application. "
This isn't a "Unix trick". This is how shell files indicate what shell they need to interpret themselves. If THAT is the security hole in iOS, it's time to fire the security review team. Wow.
"Wang wont say exactly how that AMFID-defeating part of the jailbreak works. Apple can figure that one out for themselves, he says." and then he goes on to explain how they defeated ASLR (which has been defeated many times) so, clearly, they're patching stuff in memory to defeat AMFID - not unlike the Surface RT hack that lets you run unsigned code on RT.
Nice hack. I'm convinced at this point Apple makes these things just hard enough to jailbreak to seem like it's an accomplishment, but not so hard as to be impossible. The exploits used here are actually fairly critical security holes in iOS, they have to have been left purposefully. If not, then as I said some people should be looking for new work.--
My place : »www.schettino.us