Never miss an update Follow AppleInsider
Tuesday, August 03, 2010, 03:45 pm
Browser-based iOS 'jailbreak' utilizes 'scary' PDF security hole
The latest browser-based "jailbreak" for iOS devices, including the iPhone 4, utilizes a PDF exploit that one prominent security expert called both "scary" and "very beautiful work."Sean Sullivan, security advisor with F-Secure Corporation, revealed on Tuesday the technical details of the jailbreak process, which is done entirely in the Mobile Safari browser. The jailbreakme.com site includes 20 separate PDFs for different combinations of hardware and firmware.
The same PDF files rely on a corrupt font, and crash the Safari browser's Compact Font Format handler.
Sullivan also linked to comments made via Twitter by security researcher Charlie Miller, who was also analyzing the code behind the browser-based jailbreak.
"Very beautiful work," Miller wrote. "Scary how it totally defeats Apple's security architecture."
While the jailbreakme.com URL itself is not intended for malicious purposes, the PDF exploit it uses could be utilized by hackers to more nefarious ends. Miller said that with this method, a hacker does not need physical access to an iPhone, iPod touch or iPad -- they just simply need to have the user visit a vulnerable website.
Last year, Miller exposed a dangerous SMS exploit that could allow a hacker to remotely control an iPhone. He notified Apple of the flaw, and the company quickly released a patch to plug the exploit.
Apple is likely to quickly act once again and plug the vulnerability that affects all iOS devices -- all models of the iPhone, iPod touch and iPad. When that happens, hackers who want to jailbreak iOS devices to run unauthorized code and operating system modifications blocked by Apple will have to find another method.
The member of the iPhone Dev Team who goes by the handle "comex" said this week that he has other potential exploits he will look to when Apple inevitably patches the PDF flaw.
"Maybe I'll rely on USB based stuff for the next jailbreak so that Apple won't patch it so fast," he said.
Ironically, jailbreakers have already developed a workaround solution that can help users avoid being hacked through the PDF exploit. Developer Will Strafach on Tuesday released an application available on the jailbroken Cydia store that will warn users when a Mobile Safari page is loading a PDF file. The solution does not patch the hole, but helps to prevent users from visiting sites with all PDF files to avoid the exploit.
On Topic: iPhone
- Samsung Galaxy S4 & Google Now accused of violating Apple patents for Siri
- AT&T to bring FaceTime over cellular to all customers by end of year
- Apple debuts new iPhone discounts, subsidies to gain ground in India
- Looking to pull even with Apple, Samsung to pay developers for Galaxy-specific apps
- 10M Samsung flagship phones in 28 days a 'record,' 5M iPhone 5 in 3 days 'disappointing'
Previous Comments View All
still think android is so so so much more vulnerable?
"comprimise" - now that's professional...
question guys, have not read anything re this question anywhere
do you think Apple is not closing some security holes by purpose to leave a door open for the devteam ?
i mean, i am quite sure that Apple has some very clever and smart people, they should be able to close down the iOS if they really want ?!
we can observe that some USB security flaws are open in iOS3 and still in 4..... MS is doing a better job in patching their windows than Apple...
thanks for your opinions.
Greetings !
Quote:
Originally Posted by tjw 
still think android is so so so much more vulnerable?
still think android is so so so much more vulnerable?
This is a serious issue, no one is denying that, and there will be other vulnerabilities found in iOS throughout the years that will just as bad, but Android is designed from the ground up to be insecure for the average user. That won't change until Android changes.
Quote:
Originally Posted by Dave Marsh
"comprimise" - now that's professional...
"comprimise" - now that's professional...
It's sure to inspire confidence in the jailbreaking team.
so what happen to all these companies out there whose job was to find holes like this, They obviously missed this one and it must have been there for a while.
Oh Well... No OS is perfect (some less/more so than others).
Quote:
Originally Posted by packman2002
question guys, have not read anything re this question anywhere
do you think Apple is not closing some security holes by purpose to leave a door open for the devteam ?
question guys, have not read anything re this question anywhere
do you think Apple is not closing some security holes by purpose to leave a door open for the devteam ?
Yes, and H2O (the rls group) was paid by Steinberg not to crack and rls Cubase... but wait, they cracked it.
To answer your question, software is made by humans and we do make errors.
What is "ironical" about @cdevwill's tweak, exactly? People want to modify their phones and be secure from random exploits.
Apple left the CFF hole open, not @comex.
Latest Apple Headlines
-
Mailbox for iOS gains native iPad compatibility
~15 minutes ago -
Apple invention adjusts audio based on a display's orientation, user positioning
~3 hours ago -
Apple investigating advanced AirPlay system with device-specific UIs
~4 hours ago -
Twitter unveils two-factor authentication, updates Mac app with Notification Center support
~7 hours ago -
OtterBox buys rival case maker LifeProof, drops ongoing patent suit
~10 hours ago - more...
Want to write for AppleInsider? Submit your application now!
| Model | White | Black | |
|---|---|---|---|
| iPad mini (WiFi only) | |||
| 16GB WiFi |  |
$329.99 | $329.99 |
| 32GB WiFi | |
$429.99 | $429.99 |
| 64GB WiFi | |
$529.99 | $529.99 |
| iPad mini (WiFi + 4G) | |||
 |
 |
 |
|
| 16GB 4G White | $459.99 | $459.99 | $459.99 |
| 32GB 4G White | $559.99 | $559.99 | $559.99 |
| 64GB 4G White | $659.99 | $659.99 | $659.99 |
| 16GB 4G Black | $459.99 | $459.99 | $459.99 |
| 32GB 4G Black | $559.99 | $559.99 | $559.99 |
| 64GB 4G Black | $659.99 | $659.99 | $659.99 |
Lowest Prices Anywhere!
| Model | Price | You Save |
|---|---|---|
| Core i5 MacBook Pros w/ Retina | ||
| 13" 2.5GHz/8GB/128GB | $1,406.48 | $292.52 |
| 13" 2.5GHz/8GB/256GB | $1,479.99 | $519.01 |
| 13" 2.5GHz/8GB/512GB | $1,699.99 | $799.01 |
| Core i7 MacBook Pros w/ Retina | ||
| 13" 2.9GHz/8GB/256GB | $1,599.99 | $599.01 |
| 13" 2.9GHz/8GB/512GB | $1,799.99 | $899.01 |
| 15" 2.3GHz/8GB/256GB | $1,899.99 | $299.01 |
| 15" 2.6GHz/8GB/512GB | $2,299.99 | $568.01 |
| 15" 2.7GHz/16GB/768GB | $2,699.99 | $499.01 |
Charlie Miller is also the person Apple credits with reporting a very similar bug in Mac OS X, which was patched in June of this year.
From a Computerworld interview with Charlie Miller
"There's no shell on the iPhone, so [comex] had to do all that himself to get control," Miller continued. "He elevated to root, turned off all code signing, broke out of the sandbox...all in the payload of the exploit.
"And it works every time. Not just a few times out of a hundred. But every time."
Now, who was it that said "It's not at this point a serious issue"?