Thursday, July 14, 2011

Security vulnerability found in iOS management of PDF files - at this time only jailbroken devices can be secured

Security vulnerability found in iOS management of PDF files - at this time only jailbroken devices can be secured -


Apple this week pledged to issue a fix for an iOS vulnerability that could let hackers remotely control iPhones, iPads, and iPod Touches.




"Apple takes security very seriously, we're aware of this reported issue and developing a fix that will be available to customers in an upcoming software update," an Apple spokesman said in a statement.

The move comes after the German Federal Office for Information Security (BSI) issued a warning earlier this week about the possibility of attacks via PDF files.
In a translated version of the report, the agency said clicking on an infected PDF via Email or on the Web is enough to infect an iOS device with malicious software and give the attacker administrative privileges on the device.

The BSI said the vulnerability affects the iPhone 3G, iPhone 4, iPad, and iPod Touch running iOS up to version 4.3.3, though officials said they could not rule out the possibility that other versions of iOS were affected.

The warning said there have been no reported attacks, but anyone taking advantage of the vulnerability could potentially access things like passwords, online banking data, calendars, Emails, text, or contact information.
There could also be access to built-in cameras, the interception of telephone conversations, and the GPS localization of the user, BSI said.

Given that more and more professionals are using the iPad and iPhone in a business setting, BSI warned that the security hole could be used for "targeted attacks on leaders ... to get to confidential company information."

Until Apple issues its patch, therefore, BSI suggested that iOS users do not open unknown PDF files, whether they are received via Email or linked on Web sites.
Browser use and link clicking should also be restricted to trusted Web sites.

Apple did not release a timetable for its security update.
Its last update, 4.3.3, was released in early May and solved a controversial "bug" with Apple's location-based services.

The fix comes amidst the release of JailBreakMe, software that will jailbreak an iOS device using the PDF vulnerability.
The program quickly hit 1 million jailbreaks:



"Be sure to share a link with your friends while it's still available," Grant Paul, one of the creators, tweeted earlier this week. 

JailBreakMe developer Comex said on its Web site:



"Along with the jailbreak, I am releasing a patch for the main vulnerability which anyone especially security conscious can install to render themselves immune; due to the nature of iOS, this patch can only be installed on a jailbroken device. Until Apple releases an update, jailbreaking will ironically be the best way to remain secure," .

 


No comments:

Post a Comment