The update, version iOS 4.3.4, is available for iPhone 4, iPhone 3GS, iPad 2, iPad and third and fourth generation iPod touch, and can be installed via iTunes.
The newly released patch repairs vulnerabilities that affect PDF files transmitted or viewed on several versions of Apple’s iOS.
The PDF flaw stems from a buffer overflow issue occurring in the way the iOS parses fonts in Apple’s mobile Safari browser. Another vulnerability in the iOS allowed hackers to bypass Apple’s ASLR (address space layout randomization), a security feature that involves random position arrangement of key data areas that make it more challenging for hackers to predict target addresses and launch attacks.
The iOS PDF flaw became widely publicized last week after hackers publicly disclosed the browser-based jailbreaking exploit, known as JailbreakMe 3.0.
Jailbreaking occurs by circumventing Apple’s security mechanism on a mobile device to install applications not authorized the App Store.
Researchers at the German Federal Office for Information Security, also known as BSI, soon after said the iOS vulnerabilities could be used for malicious purposes .
Cyber criminals could exploit the security flaws by creating a malicious PDF distributed via a link delivered over e-mail or social networking site. The mobile Safari browser would open the infected PDF file once users clicked on the link, enabling a jailbreak or potentially allowing the installation of malware. Attackers could then use the installed malware to access users’ personal or financial data stored on their iPhones or iPads, including online banking information, credit card numbers, text messages, calendars, e-mails and passwords. They could also exploit the flaw to intercept users’ phone conversations and locate and track users via the iPhone’s GPS capabilities.
“Click and you’re done,” said Andrew Storms, director of security operations for security firm nCircle . “What’s to stop someone else from using the iOS jailbreak for something else? What if it was malware instead? That’s what really scared a lot of people about this.”
Thus far, security professionals have not yet detected active attacks in the wild exploiting the iOS flaw, Storms said.
“We all breathed a sigh of relief. We didn’t see what we had feared,” Storms said. “I’m not quite sure why. More than a handful of people had already figured out what the exploit was. We’re all pretty impressed that with all the work that was done, it didn’t get used for some nefarious purpose.”
The update comes less than 10 days after Apple first notified users about the iOS vulnerability and about a week after Cupertino pledged to fix the flaws.
While historically slow at responding to other security issues, Apple’s swift response in addressing the jailbreaking flaw was on par with its response to a similar iOS exploit last year. Apple issued a fix 10 days after hackers publicized a pair of jailbreaking vulnerabilities in the iOS , one of which allowed attackers to access the iPhone by tricking user into clicking a PDF document with maliciously crafted embedded fonts, while the other allowed an attacker to obtain elevated privileges and gain complete control of the device.
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

Tenable
Cyber Risk 360

Application Integration 360

Carbonite
Cloud Storage 360

NPD
Industry Trends 360

Veeam
Veeam

Comcast Business
Comcast Business Learning Center

Cato Networks
SASE & SD-WAN 360

CyberPower
CyberPower

Channel Chief Showcase

CRN Showcase

APC by Schneider Electric
Digital Services for Edge Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Dell Technologies
Dell Technologies Server Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

BlackBerry
BlackBerry Learning Center

Fujifilm
Fujifilm

Acer
Remote Workforce 360

Webroot
Webroot Learning Center

Cyber Protection 360

Cradlepoint
5g for Business 360

Smart 3rd Party
3rd Party Maintenance 360

Trend Micro
Trend Micro Learning Center

Sherweb
Sherweb

Vonage
Vonage

Vertiv
Edge Computing Learning Center

Comm100
Collaboration & Communications 360

VMware

EPOS
EPOS

Sophos
Sophos Cybersecurity Learning Center

Partner Program Guide Showcase

Dell Technologies
Microsoft HCI Solutions from Dell Technologies Learning Center

Hitachi Vantara
Hitachi Vantara

Terranova Security
Cybersecurity 360

eSentire
Managed Detection and Response 360

Wasabi
Wasabi

N-able
MSP Automation Solutions 360

iboss
Cloud SASE Platform 360
