Apple iOS Zero-Day PDF Vulnerability Exposed - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Apple iOS Zero-Day PDF Vulnerability Exposed

Right now, only jailbroken devices have access to a patch for the PDF-related display bug.

Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
Slideshow: Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
(click image for larger view and for slideshow)
Users of the iPhone, iPad, and other iOS devices can now jailbreak their hardware not just when connected to a computer, but remotely, via a website.

That's thanks to the JailbreakMe website, which went live with version 3.0 of its jailbreaking capabilities, on Tuesday. The software allows anyone using a device that runs iOS version 4.3 through 4.3.3--including, for the first time, the iPad 2--to remotely jailbreak their device, in just minutes. To do that, users of the device visit the JailbreakMe website, which exploits a vulnerability related to how the iOS version of Safari renders PDF pages.

But the zero-day PDF vulnerability exploited by the website is triggering warnings from security experts. "If visiting the JailbreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "If they exploited the same vulnerability in a copy-cat maneuver, cybercriminals could create booby-trapped Web pages that could--if visited by an unsuspecting iPhone, iPod Touch, or iPad owner--run code on visiting devices."

Furthermore, at least for non-jailbroken devices, "as Apple does not allow anti-virus software to be listed in the official iPhone AppStore there is no on-device protection available for users," said Cluley.

Interestingly, however, the developer behind JailbreakMe--known as Comex--has released PDF Patcher 2, a free fix for the zero-day vulnerability, via Cydia, which is an app store for jailbroken iOS devices that reportedly earns about $10 million per year. "Along with the jailbreak, I am releasing a patch for the main vulnerability which anyone especially security conscious can install to render themselves immune," said Comex, on the JailbreakMe website. "Due to the nature of iOS, this patch can only be installed on a jailbroken device. Until Apple releases an update, jailbreaking will ironically be the best way to remain secure."

Jailbreaking isn't against the law. According to a 2010 Library of Congress ruling, jailbreaking an iOS device doesn't violate the Digital Millennium Copyright Act, and thus is legal. Since that ruling, Apple removed an API from iOS that was used to detect whether a device had been jailbroken.

Might publicizing this vulnerability, however, put other iOS device users at risk? Comex, in fact, argued the opposite. "I did not create the vulnerabilities, only discover them," according to the JailbreakMe FAQ. "Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."

No doubt Apple will prioritize releasing a patch for the vulnerability, which will--at least in the short term--have the side effect of blocking this latest jailbreaking technique. Interestingly, Comex said via a Twitter post last week that the new JailbreakMe code had apparently been leaked before it was ready, which meant that Apple would have a head start in finding a way to block the bug, and thus the jailbreak, with its next version of iOS. "Congratulations, some moron used a dictionary attack(?) to leak a buggy version and put me on a useless time limit," said Comex.

Still, Apple's forthcoming patch for the zero-day PDF rendering vulnerability likely won't be the last iOS bug, meaning that jailbreakers will no doubt continue to find new ways of unlocking Apple's mobile OS.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Commentary
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
Slideshows
Top 10 Programming Languages in Demand Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  4/28/2020
White Papers
Register for InformationWeek Newsletters
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
Video
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
Slideshows
Flash Poll