Apple iOS Zero-Day PDF Vulnerability Exposed

Right now, only jailbroken devices have access to a patch for the PDF-related display bug.

Mathew J. Schwartz, Contributor

July 7, 2011

4 Min Read

Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More

Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More

Slideshow: Apple WWDC Visual Tour: First Look At iCloud, Lion, iOS 5, And More (click image for larger view and for slideshow)

Users of the iPhone, iPad, and other iOS devices can now jailbreak their hardware not just when connected to a computer, but remotely, via a website.

That's thanks to the JailbreakMe website, which went live with version 3.0 of its jailbreaking capabilities, on Tuesday. The software allows anyone using a device that runs iOS version 4.3 through 4.3.3--including, for the first time, the iPad 2--to remotely jailbreak their device, in just minutes. To do that, users of the device visit the JailbreakMe website, which exploits a vulnerability related to how the iOS version of Safari renders PDF pages.

But the zero-day PDF vulnerability exploited by the website is triggering warnings from security experts. "If visiting the JailbreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "If they exploited the same vulnerability in a copy-cat maneuver, cybercriminals could create booby-trapped Web pages that could--if visited by an unsuspecting iPhone, iPod Touch, or iPad owner--run code on visiting devices."

Furthermore, at least for non-jailbroken devices, "as Apple does not allow anti-virus software to be listed in the official iPhone AppStore there is no on-device protection available for users," said Cluley.

Interestingly, however, the developer behind JailbreakMe--known as Comex--has released PDF Patcher 2, a free fix for the zero-day vulnerability, via Cydia, which is an app store for jailbroken iOS devices that reportedly earns about $10 million per year. "Along with the jailbreak, I am releasing a patch for the main vulnerability which anyone especially security conscious can install to render themselves immune," said Comex, on the JailbreakMe website. "Due to the nature of iOS, this patch can only be installed on a jailbroken device. Until Apple releases an update, jailbreaking will ironically be the best way to remain secure."

Jailbreaking isn't against the law. According to a 2010 Library of Congress ruling, jailbreaking an iOS device doesn't violate the Digital Millennium Copyright Act, and thus is legal. Since that ruling, Apple removed an API from iOS that was used to detect whether a device had been jailbroken.

Might publicizing this vulnerability, however, put other iOS device users at risk? Comex, in fact, argued the opposite. "I did not create the vulnerabilities, only discover them," according to the JailbreakMe FAQ. "Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."

No doubt Apple will prioritize releasing a patch for the vulnerability, which will--at least in the short term--have the side effect of blocking this latest jailbreaking technique. Interestingly, Comex said via a Twitter post last week that the new JailbreakMe code had apparently been leaked before it was ready, which meant that Apple would have a head start in finding a way to block the bug, and thus the jailbreak, with its next version of iOS. "Congratulations, some moron used a dictionary attack(?) to leak a buggy version and put me on a useless time limit," said Comex.

Still, Apple's forthcoming patch for the zero-day PDF rendering vulnerability likely won't be the last iOS bug, meaning that jailbreakers will no doubt continue to find new ways of unlocking Apple's mobile OS.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights