Germans sound iPhone attack alarm as Apple claims fix ready

Computerworld - Amid a warning by German authorities of possible malicious use of a critical iPhone exploit, Apple said it has a fix ready and will deliver it in the next smartphone update.

The exploit first surfaced Sunday, when it was used to "jailbreak" any device running Apple's iOS mobile operating system. "Jailbreak" is the term that describes the practice of hacking an iPhone to install apps not authorized by Apple.

One prominent vulnerability researcher has called the exploit -- which is actually a two-stage hack that relies on a pair of vulnerabilities -- both "sweet" and "scary."

Germany's Federal Office for Information Security, known by its German-language initials of BSI for "Bundesamt für Sicherheit in der Informationstechnik," warned citizens Wednesday that the two bugs could be used by criminals to hijack iPhones, iPod Touches and iPads.

BSI said that successful attacks could give hackers access to any data on the device, including passwords, e-mails, sent and received text messages, and contacts. The attacks could also let others control the iPhone's camera(s), listen in to phone calls and pinpoint the user's location.

According to security researchers, JailbreakMe -- the software that hacks, or "jailbreaks," iOS 4 -- uses a flaw in mobile Safari's parsing of fonts in PDF documents to compromise the browser, then exploits a second vulnerability that breaks out of the isolating "sandbox" and gains full, or "root," control of the device.

Little is known about the second bug used to gain root access.

BSI told users to not open PDF documents no matter how they're delivered to the iPhone, iPod or iPad, and to browse only trusted sites.

According to the alert, BSI has been in touch with Apple.

For its part, Apple said it has a fix ready to roll out to users. "We are aware of the reported issue," Apple spokeswoman Natalie Harrison told the New York Times and CNET, in stories posted online yesterday. "We have already developed a fix and it will be available to customers in an upcoming software update." Harrison declined to set a timetable for the fix.

Apple did not reply to queries from Computerworld.

Adobe, however, quickly rose to the defense of its popular PDF viewer, Adobe Reader, saying that its software didn't contain the vulnerability, and that the fault lay with Apple's home-grown PDF interpreter, dubbed Preview.

"All of our analysis to date indicates that the vulnerability used in the iPhone jailbreak does not impact Adobe Reader or Acrobat," said Brad Arkin, the company's director of security and privacy.

Arkin also tried to distance Adobe from the PDF format, saying, "...not all PDF-related vulnerabilities are automatically Adobe vulnerabilities," because Adobe released its formerly proprietary format as an open standard in 2008. Arkin's argument may be lost on users, who equate PDF with Adobe if for no other reason than the 15 years the PDF document format was Adobe's only.

Although Apple has not disclosed a release date for the iOS update that would include the fix, several blogs have reported that developers now have iOS 4.1 beta 3, and that a final edition may be imminent. It's unknown whether the jailbreak exploit fixes will be included in iOS 4.1, however.

Apple has issued only one update to iOS since it launched the iPhone 4 six weeks ago; iOS 4.0.1 included a fix for what Apple had earlier described as a years-old flaw in the code used to calculate signal strength.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

Read more about Macintosh in Computerworld's Macintosh Topic Center.