Now Available: iOS PDF Flaw Patch
After jailbreaking an iOS device was announced as legal, Apple created a patch for the flaw. User of iPhone, iPod Touch and iPad can now work on their devices without breaking their warranty.
Apple has released the security updates for iPhone, iPod touch and iPad today. The update address the flaw in PDF handling and I/O that have been recently exploited to create a web-based jailbreak for Apple’s portable devices. iOS 4.0.2 for iPod touch and iPhone and 3.2.2 for iPad are now available via iTunes.
The web-based jailbreak is dependent on two vulnerabilities in order to work. An open source from FreeType Library is used by iOS’s PDF rendering engine, that can result in and overflow of stack buffer whenever it handles a CFF data. The flaw can be exploited to execute an arbitrary code with the help of an especially designed PDF. Once the overflow occurs, and integer counterpart flaw in IOSurface could be misused to elevate privileges from the user to the root. With heightened freedom, a code from jailbreakme.com removes the security features that prevent other apps in running on any iOS-based devices.
However, the flaw was publicized by the security researchers shortly after the jailbreak launching. They pointed out that the bug can also be used for more malicious purposes just by getting a user to visit a website. Good thing, Apple quickly acknowledged the problem and assured the users with an upcoming fix. The patches execute additional bound to check both libraries.View Article Source »