Apple closes the door on two vulnerabilities used to jailbreak the iPhone. The bugs, which existed in Apple iOS, could have potentially been exploited by attackers to take over the iPhone, iPod Touch and iPad.
Apple announced Aug. 11 that it has swatted two bugs used to
jailbreak the iPhone.
The update comes roughly a week after the release of JailbreakMe 2.0,
which took advantage
of two vulnerabilities in the iOS mobile operating system used by the iPhone,
iPod Touch and iPad. According to Apple, the first was a stack buffer overflow
that exists in FreeType's handling of Compact Font Format opcodes that could be
exploited to run arbitrary code via a PDF file with malicious embedded fonts.
From there, an integer overflow in the handling of IOSurface
properties could be used to gain system privileges. Both bugs were fixed with improved
bounds checking, Apple said in an advisory.
When reports of the vulnerabilities surfaced, security pros
worried they would be used to launch malicious attacks.
In the hands of
attackers, the vulnerabilities could be used remotely to take over a system.
"Symantec has not seen any attacks leveraging this
vulnerability yet, but I would say the appearance of attacks is not too far
away since the iPhone is a popular product," said Joshua Talbot, security
intelligence manager for Symantec Security Response. "However, the fact
that Apple has released a patch will go a long way in preventing users from
being victimized by attackers seeking to exploit this issue."
The updates are for "iOS 2.0 through 4.0.1 for iPhone
3G and later, iOS 2.1 through 4.0 for iPod Touch (second generation) and later"
and iOS 3.2 and 3.2.1 for the iPad.