Apple's iOS4 update cracked by jailbreaking community

This was within a few hours of a new Apple portable device operating system being officially released.

As reported previously by Infosecurity, the Jailbreakme website takes advantage of a flaw - CVE-2010-1797 - iOS' native PDF reader component.

Unfortunately for iPhone users, however, the flaw is regarded as one of the most dangerous on the Apple iOS4 platform since it can be used to infect iPhone, iPad and iPod Touch users with malware by fooling them into visiting an infected website.

This appears to be why Apple has moved so swiftly to patch the flaw in iOS4, but it seems that a further update will now be required.

According to iPhone forum reports, the update to the Jailbreakme website unlock service is thanks to the work of Jay Freeman, the developer of the Cydia package manager used by jailbroken iPhones and iPads, which apparently allows users to keep their devices unlocked.

The move comes after Apple released iOS 4.0.2 for iPhone 4, 3G, 3GS and the iPod Touch 2nd plus 3rd generation, as well as iOS 3.2.2 for the iPad series.

A posting on the Softpedia web portal last night noted that two flaws which Apple updated iOS4 against are classed as drive-by downloads, a technique normally used to attack Windows users using vulnerabilities in popular software like Adobe Reader, Flash Player or Java.

Because of the risk, many security experts are encouraging iPhone users to update their portable devices with the new version of iOS4 and, if they must unlock their iPhones, iPads and iPods, await other jailbreak options, which are less risky.

Softpedia notes that one safety option for users is to install an application called PDF Loading Warner, which is also distributed through Cydia Store.

The app, says the software newswire "displays a warning before opening any PDF document, thus giving users a chance to block any unauthorised attempts to launch PDFs."


What’s hot on Infosecurity Magazine?