12:29 PM

Apple iOS Zero-Day PDF Vulnerability Exposed

Right now, only jailbroken devices have access to a patch for the PDF-related display bug.

Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
Slideshow: Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More
(click image for larger view and for slideshow)
Users of the iPhone, iPad, and other iOS devices can now jailbreak their hardware not just when connected to a computer, but remotely, via a website.

That's thanks to the JailbreakMe website, which went live with version 3.0 of its jailbreaking capabilities, on Tuesday. The software allows anyone using a device that runs iOS version 4.3 through 4.3.3--including, for the first time, the iPad 2--to remotely jailbreak their device, in just minutes. To do that, users of the device visit the JailbreakMe website, which exploits a vulnerability related to how the iOS version of Safari renders PDF pages.

But the zero-day PDF vulnerability exploited by the website is triggering warnings from security experts. "If visiting the JailbreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "If they exploited the same vulnerability in a copy-cat maneuver, cybercriminals could create booby-trapped Web pages that could--if visited by an unsuspecting iPhone, iPod Touch, or iPad owner--run code on visiting devices."

Furthermore, at least for non-jailbroken devices, "as Apple does not allow anti-virus software to be listed in the official iPhone AppStore there is no on-device protection available for users," said Cluley.

Interestingly, however, the developer behind JailbreakMe--known as Comex--has released PDF Patcher 2, a free fix for the zero-day vulnerability, via Cydia, which is an app store for jailbroken iOS devices that reportedly earns about $10 million per year. "Along with the jailbreak, I am releasing a patch for the main vulnerability which anyone especially security conscious can install to render themselves immune," said Comex, on the JailbreakMe website. "Due to the nature of iOS, this patch can only be installed on a jailbroken device. Until Apple releases an update, jailbreaking will ironically be the best way to remain secure."

Jailbreaking isn't against the law. According to a 2010 Library of Congress ruling, jailbreaking an iOS device doesn't violate the Digital Millennium Copyright Act, and thus is legal. Since that ruling, Apple removed an API from iOS that was used to detect whether a device had been jailbroken.

Might publicizing this vulnerability, however, put other iOS device users at risk? Comex, in fact, argued the opposite. "I did not create the vulnerabilities, only discover them," according to the JailbreakMe FAQ. "Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."

No doubt Apple will prioritize releasing a patch for the vulnerability, which will--at least in the short term--have the side effect of blocking this latest jailbreaking technique. Interestingly, Comex said via a Twitter post last week that the new JailbreakMe code had apparently been leaked before it was ready, which meant that Apple would have a head start in finding a way to block the bug, and thus the jailbreak, with its next version of iOS. "Congratulations, some moron used a dictionary attack(?) to leak a buggy version and put me on a useless time limit," said Comex.

Still, Apple's forthcoming patch for the zero-day PDF rendering vulnerability likely won't be the last iOS bug, meaning that jailbreakers will no doubt continue to find new ways of unlocking Apple's mobile OS.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Listen Now InformationWeek Live for the Week of September 25, 2016
Join us for a roundup of the top stories on for the week of September 25, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.