Apple Patches Critical PDF Jailbreaking Flaw In iOS Update

Stefanie Hoffman

July 15, 2011, 09:06 PM EDT

The update, version iOS 4.3.4, is available for iPhone 4, iPhone 3GS, iPad 2, iPad and third and fourth generation iPod touch, and can be installed via iTunes.

The newly released patch repairs vulnerabilities that affect PDF files transmitted or viewed on several versions of Apple’s iOS.

The PDF flaw stems from a buffer overflow issue occurring in the way the iOS parses fonts in Apple’s mobile Safari browser. Another vulnerability in the iOS allowed hackers to bypass Apple’s ASLR (address space layout randomization), a security feature that involves random position arrangement of key data areas that make it more challenging for hackers to predict target addresses and launch attacks.

The iOS PDF flaw became widely publicized last week after hackers publicly disclosed the browser-based jailbreaking exploit, known as JailbreakMe 3.0.

Jailbreaking occurs by circumventing Apple’s security mechanism on a mobile device to install applications not authorized the App Store.

Researchers at the German Federal Office for Information Security, also known as BSI, soon after said the iOS vulnerabilities could be used for malicious purposes .

Cyber criminals could exploit the security flaws by creating a malicious PDF distributed via a link delivered over e-mail or social networking site. The mobile Safari browser would open the infected PDF file once users clicked on the link, enabling a jailbreak or potentially allowing the installation of malware. Attackers could then use the installed malware to access users’ personal or financial data stored on their iPhones or iPads, including online banking information, credit card numbers, text messages, calendars, e-mails and passwords. They could also exploit the flaw to intercept users’ phone conversations and locate and track users via the iPhone’s GPS capabilities.

“Click and you’re done,” said Andrew Storms, director of security operations for security firm nCircle . “What’s to stop someone else from using the iOS jailbreak for something else? What if it was malware instead? That’s what really scared a lot of people about this.”

Thus far, security professionals have not yet detected active attacks in the wild exploiting the iOS flaw, Storms said.

“We all breathed a sigh of relief. We didn’t see what we had feared,” Storms said. “I’m not quite sure why. More than a handful of people had already figured out what the exploit was. We’re all pretty impressed that with all the work that was done, it didn’t get used for some nefarious purpose.”

The update comes less than 10 days after Apple first notified users about the iOS vulnerability and about a week after Cupertino pledged to fix the flaws.

While historically slow at responding to other security issues, Apple’s swift response in addressing the jailbreaking flaw was on par with its response to a similar iOS exploit last year. Apple issued a fix 10 days after hackers publicized a pair of jailbreaking vulnerabilities in the iOS , one of which allowed attackers to access the iPhone by tricking user into clicking a PDF document with maliciously crafted embedded fonts, while the other allowed an attacker to obtain elevated privileges and gain complete control of the device.