Two critical vulnerabilities in iPhone's iOS exploited in jailbreak - Update
According to Vupen Security the PDF vulnerability exploit that allows iPhones to be jailbroken, to run non-Apple App Store apps, is actually two critical vulnerabilities. The vulnerabilities exist in iOS 3.x, 4.0 and 4.01 and affect iPhones, iPads and iPod touch devices.
The first vulnerability is, as previously reported, in the PDF rendering functionality of the iPhone, which allows an attacker to execute arbitrary code by inducing the processing of embedded font data to corrupt memory. This flaw in the Compact Font Format (CFF) handling can be exploited by merely tricking a user into visiting a specially crafted page. The second vulnerability is an error in the kernel, which allows attackers to elevate privileges and bypass the sandbox restrictions in iOS.
jailbreakme.com site uses a crafted page which identifies which model of iPhone, iPad or iPod Touch is being used and sends the browser to view one of twenty customised PDF files. The JailbreakMe site only removes the restrictions on the device which block it from running applications that aren't from the App Store and installs the Cydia application store.
Security vendors are warning that it could be possible for criminals to make use of the same vulnerabilities to create malware for the iPhone. The PDF rendering functionality is part of Apple's Safari browser, developed by Apple, and not an external or third party application. An Apple spokesperson told Reuters that the company was aware of the reports and was investigating.
Update: The German Federal Office for Information Security (BSI) has now warned(German language link) that, until an Apple issues a fix, users should not open any PDF documents on their iOS-based devices. Additionally, BSI says that browser use should be limited to only trusted sites and users should, as always, avoid clicking on URLs from untrusted sources.
A homebrew solution to warn users before opening PDFs called "PDF Loading Warner" has already surfaced in the Cydia store for jailbroken iOS devices. Ironically, the jailbroken devices already used the vulnerability in order to faciltiate the jailbreak in the first place. According to a Twitter post by Will Strafach, its creator, PDF Loading Warner has already been downloaded more than 35,000 times.
- Apple's iOS 4 update fixes 65 vulnerabilities, a report from The H.