The clock is ticking for Apple to issue a patch for the iOS operating system that powers iPhones, iPods and iPads following the release of a remote exploit that uses specially crafted PDF files to defeat iOS’s content protection mechanisms and “jailbreak” mobile devices like the iPhone and iPad.
Echoing warning issued around previous iOS jail breaks, security experts said this week that the PDF-based exploit that is the basis of the iOS JailbreakMe 3 exploit released this week could be used in a malicious, drive by attack on iOS devices, and that users should exercise caution when clicking on Web links until Apple has a chance to patch the hole in iOS version 4.3.
The exploit, developed and released by the iPhone hacker known as “Comex” was praised as exceptionally powerful and seamless: allowing users to bypass both iOS’s Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) features. The packaging of the PDF-based exploit also allows users to jailbreak their phone simply by pointing their mobile Safari browser to the JailbreakMe.com Web site. While that site prompts users to agree to jailbreak their phone, a malicious implementation need not post any message to users, who would otherwise be unaware that their phone was being attacked.
In an interview with Threatpost on Wednesday, mobile device security expert Charlie Miller said that the latest iOS exploit was exceptionally powerful and could easily be tailored to attacks – though no such attacks have accompanied the release of previous iOS jailbreaks.
Anti malware firm F-Secure warned users to be on the watch for malicious Twitter and other social media links.
Apple has promised a patch for the PDF exploit, but has not given any estimate of how long it will take the company to issue the fix. The company was able to issue a fix for two vulnerabilities used in the last major JailbreakMe release in fewer than two weeks.
Attacks against iOS devices are rare in comparison with attacks against Windows devices. However, the increasing use of mobile devices for a wide range of activities including e-commerce, as well as a new population of iPad users could make these devices a security target.
