A Web site set up to help iPhone users jailbreak their devices is using a flaw in the way that the iPhone handles PDF files to escape the phone’s sandbox security function and enable users to load applications that aren’t in Apple’s official App Store. The same flaw could easily be used to install malicious software in drive-by download attacks, experts say.
The Jailbreakme.com site is designed to help users jailbreak their phones, which gives them the ability to circumvent Apple’s process for approving iPhone apps and load apps from any source they choose. Such sites are not new, but the new service on Jailbreakme.com appears to use a previously unknown vulnerability in the iPhone. Initial reports indicated that the vulnerability was in the mobile version of Apple’s Safari browser. But it now appears that the problem is in a component meant to be used for displaying PDFs.
The iPhone doesn’t have a mobile version of the Adobe Reader software and instead reads PDF files natively. So the technique that Jailbreakme.com is using likely is exploiting a new bug in the iPhone itself, experts say. The iPhone has several security protections in place that are designed both to prevent malicious code from running on the device and also to stop users from loading unapproved apps on the phone.
Adobe security and privacy chief Brad Arkin said that the company does not have any evidence to indicate that Reader is involved in the exploit.
In order for the exploit to work and jailbreak one of the devices, it first has to get control of the mobile browser on the device. The next step would be to somehow circumvent DEP (Data Execution Prevention), the memory protection on the browser. The exploit then needs to find a way to break out of the iPhone’s sandbox environment and get root privileges on the phone. And finally, it would need to turn off the code-signing functionality that Apple uses to enforce its rules on official apps.
One security researcher said that the new iPhone exploit appeared to be very well engineered and must have included methods for evading all of the device’s security protections, all rolled into one. The only publicly known exploit that was able to bypass all of those iPhone defenses at once is the iPhone SMS bug that researcher Charlie Miller talked about at several conferences last year.
Cydia is the package that the exploit installs on the jailbroken iPhone that allows users to find and install apps from sources other than the App Store. The site has a function that can identify what device a visitor is using to access the Jailbreakme.com page, and it has separate versions of the jailbreaking trick for each current firmware version of the iPad, iPhone and iPod Touch.