Apple announced Aug. 11 that it has swatted two bugs used to jailbreak the iPhone.
The update comes roughly a week after the release of JailbreakMe 2.0, which took advantage of two vulnerabilities in the iOS mobile operating system used by the iPhone, iPod Touch and iPad. According to Apple, the first was a stack buffer overflow that exists in FreeType’s handling of Compact Font Format opcodes that could be exploited to run arbitrary code via a PDF file with malicious embedded fonts.
From there, an integer overflow in the handling of IOSurface properties could be used to gain system privileges. Both bugs were fixed with improved bounds checking, Apple said in an advisory.
When reports of the vulnerabilities surfaced, security pros worried they would be used to launch malicious attacks. In the hands of attackers, the vulnerabilities could be used remotely to take over a system.
“Symantec has not seen any attacks leveraging this vulnerability yet, but I would say the appearance of attacks is not too far away since the iPhone is a popular product,” said Joshua Talbot, security intelligence manager for Symantec Security Response. “However, the fact that Apple has released a patch will go a long way in preventing users from being victimized by attackers seeking to exploit this issue.”
The updates are for “iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod Touch (second generation) and later” and iOS 3.2 and 3.2.1 for the iPad.