‘Dangerous’ iPhone exploit code goes public – Computerworld.
This was actually predictable.
A proof of concept demonstration demonstrated an ability to “Jailbreak” iPhones over the web, with no intervention of a computer,etc. but rather through surfing to a website directly on the iPhone. The reports are that this exploit is performed through a vulnerability within Adobe PDF handling on IOS platforms (the software that iPhones, iPads, etc. use to run).
The originator of the exploit, a software hacker named “Comex”, did not initially release the code.
Throngs of people proceeded to jailbreak their iPhones in this way. Those of us in the security and forensics world knew that an exploit would not be far behind.
On Wednesday Apple released a patch to fix the issue that enables this to happen. Minutes later Comex released his code to the internet-at-large.
What does this all mean?
I know a large number of attorneys that use iPhones- I do too. I also know a large number of attorneys that use PDF documents (most, if not all, of them).
Because of the complexity of the code I would give this about two, maybe three, more days before there are active attempts to inject malicious code into iPhones. This could hit attorneys that haven’t patched especially hard because of the PDF angle.
The answer is simple: Patch your iPhone, iPad, etc. The patch works. I have only done limited testing, but even Comex notes that the patch stops the exploit. Comex sent a Tweet yesterday after apple released the patch that says it all:
“That was fun while it lasted. Hope you saved your SHSH. Remember that 4.1 rhymes with fun.”
(4.1 is the vulnerable version of the iPhone IOS, 4.2 is the patched version)