“A tool that lets people remotely jailbreak their iPhones could be modified to attack iPhones and iPads with malicious PDFs and appears to have prompted Germany’s government to issue a security warning to consumers,” iOS jailbreak spurs German security warning reports for CNET.
Advertisement: Students, parents and Faculty save up to $200 on a new Mac.
“The Dev-Team, and specifically member Comex, today released the latest version of JailbreakMe.com, which allows people to ‘just browse to <a href="http://www.jailbreakme.com" target="_blank"http://www.jailbreakme.com on your device and install it from there!'” Mills reports. “While the tool gives iOS device users the freedom to run any application they want, including software not sanctioned by Apple, it could also be modified and used to deliver malware to iOS devices, and not just jailbroken ones.”
Mills reports, “After the tool was released, Germany’s IT agency issued a statement warning of “critical weaknesses” in iOS that could provide attackers unrestricted access to a device if a malicious PDF is clicked on, according to the Associated Press.”
Read more in the full article here.
It’s the same story everytime a PDF exploit is found.
Apple will patch it soon, and honestly the patch to secure it.. Is probably patched in cydia either during the jailbreak or available after it’s done. Just like the last time.
I wondered how long it would take before the fact a JailBreak from a Web Site is a bad thing to sink in. Apple must fix this immediately if they are going to remain the most secure mobile iOS. I Apple users wanted the dangerous mobile trojans and viruses they would have bought an Android.
Let us see how long it takes Apple to push a update that fixes this.
obviously they are the most securable iOS because they are the only iOS. Plus this whole thing is gonna blow over. Forget about it
Jet all these idiots continue to use Windblows, especially the morons in the German government.
There has never been this much evidence in history just how stupid people want to be.
It is akin to running from a lit match to an building engulfed in flames.
Although this does bring the smell of smoke to the room- Apple, open a window fast!
I’m with Tablet Guy on this one. If just visiting a website and viewing a pdf can take over the phone, then there is a problem.
You have to go to the website then jailbreak your phone to install additional software. Comex is merely providing a jailbreak service and even has a restore tool.
This isn’t a trojan much less a virus but it does expose a vulnerability.
Comex should be credited for reporting this vulnerability and for NOT being the typical hacker jerk.
Agreed.
And like before, there will be a cydia fix before an apple fix.
And to those that do not understand…
99.999999999999999999999999999% of the PDFs people open, are stuff they wanted to open up. The possibility this gets used as a way to infect your iPhone.. Extremely low.
The only PDFs that would even possibly be a problem… Are on sites most people will not go to.
Just like all the other times, this isn’t the first time, nothing but FUD will come of this.
but if this had been a Win Phone ’07 exploit, we’d be all over it like a pack of slobbering hounds….
PDF, Adobe strikes again. I blame Adobe. Don’t use PDFs, just let them die alongside Flash.
The PDF format is terrific with remarkable uses across all computer platforms. However, Adobe stooopidly allowed the embedding and execution of code within a PDF file. Why the hell Adobe did that is beyond my comprehension. And sadly, every application or OS that opens PDF files has got to out-think Adobe’s stooopidity and shut off all PDF embedded code execution. Ideally this was done years ago when the whopping huge security hole was first understood. However, we live amidst humanity where computer security remains an amateur level, remarkably unprofessional endeavor. I’d be glad to write a diatribe explaining the situation, but I will leave it at that.
Don’t be bloody stupid. PDF files are the only way of getting documents to read on multiple platforms, and in print, the PDF file is an essential part of modern workflow, being used to send proofs to clients, and then sent to the RIP for the image setter or CTP, (Computer To Plate), or even directly to a digital press).
While there’s a very remote chance of this being exploited, in the *real* world, it’s pretty unlikely. Kill Flash by all means, I’ll be happy to piss on it’s miserable grave, but PDF files allow me to have my car insurance documents sent to me by email, then opened and saved into iBooks where I have them with me all the time. I couldn’t have done that even two years ago.
Is it true that you can be infected unknowingly, as they claim? I have watched videos of the jailbreak. It’s not enough to just surf to the webpage. You still have to tap a button, twice, and have to start an app by hand.
Not really.
Pretty much FUD.
How many PDFs do you open from sites you randomly go to?
I dontthink there has ever been a PDF security hole that was ever used maliciously. Used to jailbreak, then they are patched. Both on cydia and apple.
I do open PDFs. Sometimes even from sources of unknown quality.
But that doesn’t mean that they can pwn the iPad, right? On the jailbreak, all the hole allows is to install an app circumventing the App Store. But the app still has to be started by hand. Or am I wrong?
it doesn’t circumvent the app store.
it allows the iPhone to be rooted, so you can install Cydia.
If it circumvented the app store, it would be software piracy and illegal.
Last time i did one of these jailbreaks via PDF, you went to the site, open the PDF, and then you have an option to install cydia.
Let me point out that this security issue is due to the insecure nature of the PDF format. What Apple will be doing is stopping the default reading and execution of code embedded in PDF files.
IOW: Yet again, thank ADOBE.
The details are in the implementation.
I respect that in writing software to handle a PDF you obviously want to follow the document specification as closely as possible but unless Adobe actually wrote the code in question I lay the blame squarely at Apple’s feet.
If it is their code with the exploit, then I do not see the value in trying to pass off the blame to Adobe. All Adobe did was provide the PDF specification, Apple implemented it in the OS (at least that is my understanding)
the exploit doesn’t need to be clicked on or opened. it only needs to be embedded in a web page and you’ll be compromised as soon as you visit the page. yes, they can put it in a pdf file that you open too, but that leaves too much to chance to see if you’ll open a fake email.
Guys, the exploit is not nessacarily the pdf, but more the contents of it. The exploits used are the deja vu exploit and a stack overflow. Both of these can be used because of the way the device reads the pdf