The developer of a jailbreak for iPhones has posted source
code attackers could use to compromise devices.
The developer, who goes by the name "Comex," posted code for
JailbreakMe 2.0 on the Web Aug. 11 after Apple released a pair of fixes for
the iOS bugs the jailbreak leverages. The patches also address the problems on
the iPad and iPod touch.
“The first issue exploited is a FreeType CFF (Compact Font
Format) handling issue, exploitable via Mobile Safari to gain access to
affected devices,” explained Michael Price, senior operations manager for McAfee
Labs for Latin America. “The second issue exploited is an IOSurface framework
issue that allows for administrative privileges to be obtained…This update
should prevent both malicious attackers from exploiting these issues, as well
as prevent the jailbreak technique from continuing to work–for updated
devices.”
If the bugs are exploited successfully, they could allow an
attacker to remotely compromise a device and take full control.
On Aug, 11, security researchers said they have not observed
any attacks leveraging the bugs, but all that could change now that the source
code has been posted. Users who have already jailbroken their devices will of
course have to make the choice between installing the update and maintaining the
freedom to install applications not approved by Apple, noted Mikko Hypponen,
chief research officer at F-Secure.
“This does mean that users who have jailbroken their devices
and prefer to keep it that way will have to face the increased likelihood of
malicious attacks through this vulnerability,” he blogged.
According to an advisory from Apple, the patches–which
came roughly a week after JailbreakMe 2.0 hit the street - are available for:
iOS 2.0 through 4.0.1 on iPhone 3G and later, iOS 2.1 through 4.0 on the iPod touch
(second generation) and later and iOS 3.2 and 3.2.1 for the iPad.
IT Security & Network Security News & Reviews News & Reviews 
