Apple promises to fix critical iOS flaws in iPhone, iPad and iPod – but won't say when

The move comes after Germany's Federal Office for Information Security and several independent security researchers highlighted vulnerabilities in iOS version 4.3.3 and possibly other versions, that are used by the latest jailbreaking software.

JailbreakMe 3.0, designed to allow Apple device users to run software other than that dictated by Apple, exploits two separate vulnerabilities, according to security researchers.

One vulnerability circumvents address space layout randomization (ASLR), an anti-hacking technology that obscures memory block locations. The other weakness exploits a flaw in the font parsing code of iOS through the PDF viewer built into the mobile version of Apple's Safari browser.

Earlier this week, the German IT security agency warned that criminals could exploit the PDF vulnerability to infect mobile devices with malware without the user's knowledge.

Possible scenarios for attacks by cyber criminals include extracting confidential information such as passwords, accessing the device's cameras or location data, and listening in on phone conversations, the German IT security agency said.

Apple has issued a statement that it is aware of the issue and is developing a fix that will be available to customers in an upcoming software update, but has provided no indication of when that will be.

When asked for an indication of when users could expect an update, and Apple spokesman said: "There is nothing further to announce at this point of time."

The next scheduled update of iOS is in September, but security experts say Apple should not delay in releasing a security update sooner.

It is essential Apple closes this vulnerability as quickly as possible before it is abused with malicious intent, says Graham Cluley, senior technology consultant at Sophos.

"All eyes now turn to Apple to see how quickly it can secure its users from what could be a vector for iPhone/iPad malware infection. Leaving a security hole like this open is simply inviting malicious hackers to exploit it," Cluley wrote in a blog post.

Ironically, the only protection available until Apple releases an update is a patch released by producers of JailbreakMe 3.0 that can be run only on jailbroken devices. The patch, called "PDF Patcher 2," is available on the Cydia app store, according to InfoWorld.

This story was first published by Computer Weekly

What’s hot on Infosecurity Magazine?