Wow
That's....bad! Move a slider in a browser, and root the fecking device? Nice security!
Apple preps iOS fix as Germany warns of iPhone peril
Apple plans to issue fixes for two security flaws that when exploited together allow attackers to remotely install malicious apps on iPhones, iPads, and iPod touches. Although the critical vulnerabilities surfaced over the weekend, Apple officials didn't acknowledge them until Wednesday, the same day the German government …
This topic is closed for new posts.
Alternatively... you might want to jailbreak your phone/pad
and then install the PDF Loading Warner from Cydia, which will warn you whenever mail or safari try to open a PDF so you can cancel it.
Yet again, the jailbreakers are making iOS secure before Apple do :)
Title goes here
Was it really needed for you to bash Microsoft/Adobe in a post about Apple? The entire issue is about Apple, so why bring up MS/Adobe at all? Is the PDF reader on the IOS Adobe or Apple? Is the ISO a MS product? Nope? Then I see no reason to detract from the fact Apple are lackluster when it comes to security by trying to fawn MS/Adobe as evil companies who let your OS be taken over 24/7 at a whim.
After years and years of MS and Adobe failures...
You get upset because they make a reference to all the past failures of Adobe and MS when someone who hasn't had a track record for failures fails? In fact, it added some information to the article because it made it clear this was Apple's code and not Adobe's PDF code.
APPLE PREPS iOS fix...
Apple still FAILED in my eyes... I won't BUY an Iphone/Itouch. It was cool however, someone tossed their broken Iphone 3Gs that only needed a new screen and LCD. It cost me $55US plus 4hrs of research on installing the parts.
1. Apple failed by not allowing bluetooth transferring of files to a phone or PC.
2. Apple failed by not using the universal MICROUSB cables. ( You are stuck with purchasing overpriced propietary APPLE cables and adaptors).
3. Apple failed by their warranty program (mainly because they are replacing each new release phone with one with either faster processor or bigger hard drive space with minor cosmetic changes every 12 to 16 months).
I won't be surprised if Apple now make a new Iphone version in 2012 with a new proprietary power/sync cable that cost 50 bucks and all cables from version 1 to 4 obsolete.
by default automatically open
Oh, my... Haven't companies learned yet that automatically opening files always ends in tears?
Er
What do you think happens when you visit a website? What do you think an HTML file is, if not a - y'know - file? The iOS browser brings PDF up to a first level file along with HTML, JPEG, PNG and so on - that's the only difference here.
To be fair, I work with the guts of PDF on a daily basis and some of the legacy stuff there (parsing Type 1 fonts or some of the freaky CCITT variations etc) is just awful, so there's more room for error parsing PDF than JPEG.
I'm also surprised on a device like this that Apple aren't flagging the data area as no-execute, which neuters this sort of buffer overrun. I guess not, so we won't see the last of these.
I can tell my browser what to open automagically.
I get the impression the iphone doesn't have that option
Options....
....are not really something Apple understand, as far as I can tell.
GJC
Easy Apple Fix
“we have already developed a fix and it will be available to customers in an upcoming software update.”
Yeah, they are going to remove all PDF support from the thing now :P
Hey, they did it with Adobe's other well-known product
So relations will already be strained between the two. And there's enough of a history of PDFs and Acrobat creating gaping security holes that it wouldn't be hard to get Apple's PR guys to start saying why PDF support isn't necessary.
Plus the iPhone isn't exactly a business device anyway, so I can't see the absence of PDF support being a problem for most users.
And there are PDF-> other format converters all over the web, so Jobs would just tell you to use one of them (or rather Apple's pay-to-use certified version).
Easy iPhone 4 fix
Just put your finger on the "I don't want PDFs rooting my phone" button that is placed on the side between the two antennas...
In other news, a user has found that when they hold their phone with their finger over a certain part, pictures don't come out either!
Rhe chicken or the egg?
Who found the exploit first - Jailbreakme.com or is the German Federal Office for Information Security?
Whilst the Jobs gang plays catch-up what are they doing about fixing all the other iOS problems such as Bluetooth. etc? Mind you, Jailbreakme.com did manage to actually get Apple to admit they have 'issues' with the Lemon ware.
NIke Plus
Or the excellent job that Apple have done to Nike Plus in iOS 4. So good, in fact, that Nike suggest that if you've recently bought an iPhone/iPod & Nike Plus, you return it back to the Apple Store as the system doesn't work.
Bit dramatic..
.. but I guess the sentiment is there I suppose.
Though it is funny thinking of all the iPads and iPhones in Apple stores with Cydia installed over the last couple of days. :)
So...
It doesn't work as a phone and gets rooted if you try to use it for web surfing or email. What exactly is it for? Just a fashion accessory? Of course it will still continue to fly of the shelves, says a lot about the users.
RE: So ...
Except the only known exploit doesn't root your phone, it jailbreaks it.
(as you would know if you'd read the article)
FYI
Rooting the phone is implied as you can't jailbreak it without root access.
the sudden rush?
Saldy, after the last few years, I have a cynical view that the rush to get the fix out is to prevent the phone being jail-broken rather than the prevention of harm to actual real, paying customers. Am I too cynical?
Peter, you beat me to the punch !
Is that legal ? I'll have to start looking for a fix....
Henri
Probably old exploits
IIRC Safari wasn't updated for iOS4, so this is likely an old exploit that they've been saving for the launch of new hardware to make jail breaking as painless as possible, especially now that it's legal in some places.
It's the same with the custom firmwares for the PSP, hackers find various exploits but they don't release them in case Sony fixes them in the next firmware. Then the hackers use the flaw to attack the latest firmware when it arrives.
I jailbroke (is it a verb now? ;) ) my old 3G the other day. I'm still not very impressed with Cydia or Rock, they seem to spend 99% of their time downloading lists of updates, which takes ages. Plus the stability and usability of the emulators on there is really rubbish, as are the high prices.
"It just works"....
....just took on a whole new meaning. And not in a good way.
GJC
Fix for iOS 3.x users???
Uh oh, I've been strenuously avoiding an upgrade to iOS 4 on my 3G, due to all of the issues it seems to be causing people...
Now it looks like I'll have to take the plunge to get this fix...or simply get an iPhone 4. Which I was holding off doing until the white ones came out.
I have, on these forums, previously defended Apple's desire to only support one release of the iOS at a time. It makes sense, in the scheme of things. But I'm really hating it right now...would love a fork for iOS 3 support. Failing that Apple, can we get an iOS 4 that configures itself minimally for 3G/GS users, with no multitasking, no Spotlight, etc.?
Quite
In the same position - too many 3G users reporting uissues with last OS upgrade that I decided to hold off.
The "choice" between keeping a potentially serious security flaw, or upgrading to an OS that grinds my phone to a halt is somewhat short of ideal.
Choices for Iphone 2G/3G users
You have three choices
a. Upgrade to iOS4 (unless you're on an original iPhone or iPod Touch)
b. Leave the phone insecure
c. Jailbreak it then install the PDF Warner.
Dont Do It!
I have a 3G, I upgraded to iOS 4... I had it for a week before spending several hours downgrading back to 3.1.3 due to speed issues.
Simply put the 3G cannot cope with iOS4, camera took 30 seconds to load first time, 20 seconds after that, Settings took 10 seconds, Messages longer... and keyboard response was piss poor... Typed whole sentances then wait for all the key presses to register before contuinuing...
I really cannot advise you strongly enough NOT to upgrade.
iOS 4.1 beta fixes the pdf bug
The jail break does not work with iOS 4.1 beta, so I guess Apple have already fixed that bug and is why the jailbreak was released now rather than waiting for 4.1.
-- Lets hope that the dev team have some more holes in their pockets!
Pot and Kettle
Jobby slates Adobe.
Yet another flaw annouced in iOS leaving users vulnerable.
But it's not Adobe's fault.
Jobby is hypocitical and arrogant and WRONG.
Apple and security?
@AC 4.26am
Apple hasn't had a track record for failures? Can you name one iPhone/iOS that hasn't been rootable and carrier-unlockable very very easily?
Apple OS = Microsoft OS
iOS 3 = XP
iOS 4 = Vista
We are all just waiting for iOS 5 :)
Bad comparison
iOS4 is perfectly good, it's nothing like VISTA.
It's the iPhone 4 antenna that has the quirks.
Comparing iPhone 4 to VISTA is stupid, VISTA didn't sell well yet the iPhone 4 has.
Perfect Comparison
Vista was touted to run on XP Hardware, but turned out to be a clinker-built slug-hog released according to the marketing depts schedule, despite a host of known QC issues . Ditto iOS4 - and iPhone4 for that matter.
Automatically opens PDFs
I don't care how many people have said it.
Who the hell thought that was a good idea and why have they not been put down?
My god, just the sheer annoyance of it would drive me mad.
RE: Automatically opens PDFs
...whereas most browsers automagically run Flash unless you tell then not to.
Which is worse, knowingly running something that obviously has script inside it or opening something that doesn't?
(Just for the record, I've turned Flash off. It's mostly unnecessary, as you can immediately tell once you've turned it off for a while. About 10% of the Flash is important to the working of the page and that's probably my biased view because I watch videos online ;)
What happened?
According to many posts I've read on different forums the iPhone can't ever be hacked because of signed code limitations. This must not have happened, its just a hoax.
Eh?
My iPhone mail app has never opened PDFs automatically - I have to select them. OK, it doesn't ask me to confirm that I want to open it, but an explicit action is required.
Is my iPhone unusually paranoid or is the article over-egging the mail attack vector.
This topic is closed for new posts.
Sign up, sign up for The Register's weekly IT security newsletter - click here
Popular Whitepapers
- The BI Inflexion Point
Information is a right, not a privilege - VPN security - if you want it, come and get it
Attention WiFi hotspotters: You want it - The Register Guide to iSCSI
A primer on Internet SCSI, a protocol to transport SCSI commands over IP - Secure Mobile Working
Beyond the Technology - The Impact of IT Security Attitudes
Putting the pieces in place for effective security delivery - The Register guide to unified communications
A primer on the implications of unified communications for enterprise IT
