Apple Readies Patch for Jailbreakme.com Vulnerability

USA Today’s Byron Acohido is reporting that Apple plans to rush out a patch for the drive-by download flaw that allows jailbreaking if an iPhone, iPad or iPod Touch device simply surfs to a web site.

USA Today’s Byron Acohido is reporting that Apple plans to rush out a patch for the drive-by download flaw that allows jailbreaking if an iPhone, iPad or iPod Touch device simply surfs to a web site.

“The patch is completed, Apple spokeswoman Natalie Kerris said in an interview. But Kerris said on Friday that she was not able to give a time frame for its public release,” Acohido wrote.

The vulnerability, in the way Apple’s iOS processes CFF fonts, could lead to remote code execution.  I

Here’s the gist of the issue, from a US-CERT advisory:

By causing an application that uses FreeType to parse a specially-crafted CFF font, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This can occur as the result of opening a PDF document or viewing a web page.

In the jailbreakme.com exploits, this flaw is being combined with a privilege escalation issue to get around Apple’s security mechanisms.

Suggested articles

Black Hat USA 2019 Preview

Threatpost editors discuss the top trends, keynotes and sessions that they look forward to at Black Hat USA and DEF CON 2019.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.