Now Available: iOS PDF Flaw Patch

Apple has released the security updates for iPhone, iPod touch and iPad today. The update address the flaw in PDF handling and I/O that have been recently exploited to create a web-based jailbreak for Apple’s portable devices. iOS 4.0.2 for iPod touch and iPhone and 3.2.2 for iPad is now available via iTunes.

The web-based jailbreak is dependent on two vulnerabilities in order to work. An open source from FreeType Library is used by iOS’s PDF rendering engine, that can result in and overflow of stack buffer whenever it handles a CFF data. The flaw can be exploited to execute an arbitrary code with the help of an especially designed PDF. Once the overflow occurs, and integer counterpart flaw in IOSurface could be misused to elevate privileges from the user to the root. With heightened freedom, a code from jailbreakme.com removes the security features that prevent other apps in running on any iOS-based devices.

Read the rest of the article »