PDFs that exploit iPhone, iPad zero-day available on the Web
German government security agency warns of possible attacks; Apple promises a patch
Computerworld - Hours after developers revealed they had exploited bugs in Apple's iOS to "jailbreak" iPhones and iPads, German government security authorities warned that one of the flaws could be put to malicious use.
Malformed files that exploit the vulnerability have been publicly posted on the Internet.
Late Wednesday, Germany's Federal Office for Information Security, known by its German-language initials of BSI for "Bundesamt fuer Sicherheit in der Informationstechnik," warned citizens that the iOS bug could be used by criminals to hijack iPhones, iPads and iPod Touches.
"Even clicking a crafted PDF document or surfing to a website with the PDF documents are sufficient to infect the mobile device with malicious software," the BSI said in a translation of the German-language alert.
PDF files that successfully exploit the vulnerability are available on the Web, according to Mikko Hypponen, chief research officer of Helsinki-based antivirus company F-Secure.
And those PDFs could be used by miscreants to hack iOS devices simply by luring users to malicious sites, said Andrew Storms, director of security operations at nCircle Security.
iPhone and iPad users steered to a malicious PDF -- via a link embedded in an email, for instance -- would not receive any warning or be required to take additional action.
"This is a click-and-pwn kind of situation since the user is not prompted to confirm opening the file," said Storms, referring to the term used by researchers to describe hijacking a device.
The BSI warning came just hours after a group of developers released an updated version of JailbreakMe, a tool that hacks iOS so iPhone and iPad users can install software not sanctioned by Apple.
Those developers exploited a pair of vulnerabilities, including one in the font parsing of the PDF viewer integrated with the iOS version of Safari, and another that bypassed anti-malware defenses such as ASLR (address space layout randomization).
Wednesday, security experts said that the same vulnerabilities, particularly the one exploitable through malicious PDF files, could be used by criminals to hijack Apple's popular iPhone and iPad.
"They're certainly a threat, and would be easy to make malicious," said Charlie Miller, a noted Mac OS X and iOS vulnerability researcher who works for Denver-based Accuvant.
Miller also speculated that Apple would quickly patch the vulnerabilities, perhaps even faster than last year when it faced a similar situation. In August 2010, Apple patched a pair of bugs used by JailbreakMe 2.0 just 10 days after the tool's release.
News of JailbreakMe 3.0's impending release had leaked several days before Wednesday's official launch, noted Miller, and should have given Apple even more warning.
Yesterday's BSI alert was similar to one it issued last August after JailbreakMe 2.0 appeared.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts