Apple released a new iOS update that patches the PDF flaw uncovered over a week ago by developers at the JailbreakMe Website.
The iOS 4.3.4 update fixes a vulnerability in the CoreGraphics frameworks that resulted in problems in the way PDF files were being handled, Apple said in its update advisory on July 15. With this flaw, malicious hackers could have remotely controlled iPhones, iPads and iPod Touches after tricking the user to open a malicious PDF file. The update is available for iPhone 3GS and iPhone 4 running iOS 3.0 and higher, third-generation iPods with iOS 3.1 and higher, and iPads with iOS 3.2 and higher.
The flaw was uncovered by "Comex," a member of the hacking group iPhone Dev Team, who exploited it to create a way for users to jailbreak iOS devices in order to run non-Apple-authorized software. Usually, the process requires the user to download a specific tool while connected to a computer. This flaw allowed the team to develop a tool that could be executed just by visiting the JailbreakMe Website from the mobile device.
The update "fixes [a] security vulnerability associated with viewing malicious PDF files," Apple said.
The German Federal Office for Information Security issued a warning about the possibility of attackers exploiting the same flaw using PDF files. The agency said clicking on an infected PDF via email or on the Web would infect an iOS device with malicious software and give the attacker administrative privileges on the device.
Comex released a patch to close the hole for users who ran the jailbreaking tool. Ironically, until Apple released this update, the only users who were protected were the ones who had jailbroken their devices.
The update addresses a buffer overflow in how FreeType handles TrueType fonts, an issue in how FreeType handles Type 1 fonts and an invalid type conversion issue in IOMobileFrameBuffer. The issues, in combination, could have allowed an attacker to take control using a maliciously crafted PDF file.
Apple has moved fairly quickly to address the issue. The update means the JailbreakMe tool will no longer work on updated devices, but at least users are now protected from potential attacks. "Apple released this fix less than 10 days from the time it went public on July 6, just like they did last time there was aserious jailbreak vulnerability," Andrew Storms, director of security operations for nCircle said.
This flaw could have been used "to distribute a wide variety of malware" if left unpatched, Storms said. It was important that users install the latest patches as soon as possible, he said.
Apple's last update, 4.3.3, released in May, fixed a controversial bug inApple's location-based services. Unlike many major technology companies, Apple does not follow a regular release cycle for its updates but releases them on an erratic schedule.
"Apple has no scheduled patch release cycle. Once a critical bug is discovered, Apple rarely communicates at all about when a patch will come out. When the patch is available they just ship it," Storms said.