Slashdot Mirror
iPhone Jailbreak Uses a PDF Display Vulnerability
adeelarshad82 writes "Latest reports indicate that the website that 'jailbreaks' iPhones, iPads, and iPod Touches does so by means of a PDF-based vulnerability in OS X. PDF parsing and rendering is a core feature of OS X, and there have been several other vulnerabilities in the past in iOS CoreGraphics PDF components." As Gruber points out, the proper term for this is not "jailbreak," but "remote code exploit in the wild."
I forget can some one remind me what P.D.F. stands for again?
Didn't you know that Apple is more secure?
As soon as I saw "computer-free jailbreak, straight from your browser" I thought "oh man.. here we go."
Is it really so hard to write a document viewer that can not crash? These aren't small companies. We're talking about Apple, Adobe, Microsoft here. Can't they at least get the core functionality right? I'll settle for safe if getting it right is too much to ask for.
It stands for PeDoFile.
HAND.
It's really funny to see how this is treated by the mass media. They make it sound like it's a feature...
"Just don't render it that way." - Adobe
Macs (and the iPhone) do not yet have any active viruses in the wild.
It does not mean they cannot get them; there just are none.
This jailbreak thing is indeed a real live exploit running in the wild, but it's a trojan (kind of) since you are asking it to do one thing (display a PDF) and it does another (jailbreak the phone).
In a way it should be labeled Malware, but that hardly seems an appropriate label since it's doing the user a favor...
So there is in fact a known exploit (this PDF bug) and one instance of something that exercises it. Very likely Apple will have this patched in pretty short order - what is really interesting to see is if there will be any "real" (read: malignant) exploits. My guess is probably not, since mobile platforms do not make great zombie systems to control the way desktops do.
If it were a real virus vector the story would be different as the lure of quickly taking over millions of devices would be very strong...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Everyone's so excited about how easy this jailbreak is, the tech blogs are neglecting to report the problems with the current jailbreaks. Homescreen bookmarks no longer work on any iOS 4 devices after applying this patch. This is a known bug that's been in public knowledge for weeks, yet I've seen no tech blogs reporting the problems. Frankly, this jailbreak created more problems then solutions.
PostScript files may not render on certain devices, such as non-PostScript printers.
Any printer can be used as a PostScript printer if the PC connected to it is running an implementation of the PostScript language, which converts a PostScript file to a bitmap image. See GSview.
I came into the office this morning and noticed that a forums thread I monitor on jailbreaking had exploded over my long weekend. I checked the iPhone dev team blog and they explained that there is a new jailbreak that you can visit with the browser on your phone.
I navigated to the page on my phone and it said "swipe here to jailbreak".
I swiped.
It took about 5 minutes to jailbreak my phone and install the Cydia unofficial app store.
Simply amazing work. Once I had Cydia I installed ultrasn0w from the repository and now my phone is carrier unlocked.
Great job, hackers!
That Tavis Ormandy is torn apart for releasing a more complicated vulnerability, but jailbreaking your phone just by clicking a url is widely celebrated. How difficult is it really gonna be to weaponize this jailbreak...
They may have stopped in later versions(my job description requires supporting XP, and you have to pay me to care about windows, so that is where my knowledge lies); but MS included flash in XP. It is version 6; because base XP is older than dirt; but they did include it.
More relevant to modern readers, most OEMs seem to ship consumer-focused systems with vaguely up-to-date-but-just-a-bit-behind versions of Flash(and acrobat reader, and other stuff). This isn't strictly microsoft's fault; but it is what you are likely to get out of the box.
If you consider jailbreaking the iPhone a favor to the user.
The users who are doing it would, that's why they are doing it!
The next site that uses this gaping security hole to install a rootkit, or other malicious piece of software, won't be such a favor. This is a huge security issue for iDevices.
Oh, I totally agree - it's a pretty bad security flaw, and has nice demonstration code for how to exploit it as well so it's pretty much the worst possible case.
That's why it's so interesting to see if there are in fact followup malicious attacks.
The fact that it is a PDF exploit rather than an iOS issue makes it more difficult for Apple to patch since it's not "one of their own".
No. Apple wrote all the PDF handling code in iOS (and on the Mac). We'd see a lot more attacks like this had they embedded Adobe Reader....
Clearly it's Apple responsibility to fix this ASAP (and their fault for letting it get into customer's hands), so they better get on it before someone else starts turning things into iP0wns.
It is 100% on Apple to get a fix out. With 4.1 so close at hand, they may wait on that to finish up... or perhaps it's a sliding scale and the first sign of any real attack will bring down the update hammer if it happens before 4.1 (4.1 beta 3 just came out today and probably fixes this bug).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Its actually not hard to read the entire exploit yourself from the site. Change your browsers useragent to an iPhone like string, and inspect the javascript on the page. i scoffed when i found the function that makes the url to the exploit file:
function get_page() {
return model == null ? null : ("/_/" + model + "_" + firmware + ".pdf")
}'
Apple does not use Adobe Reader for PDF. I thought everyone knew this by now. Apparently not.
Yeah, I always refer to stuff that happened earlier today as "ages ago."
It's a bug in the font rendering component, which apparently lives in kernel space. PDFs are allowed to embed fonts, and apparently Preview doesn't verify the font data before tossing it to the renderer. Apparently the renderer doesn't verify it either, because instead of rejecting the data as invalid, it gives the attacker completely unrestricted control over the software.
PDFs having embedded fonts is a very useful and entirely reasonable feature. It would help if Preview validated the fonts, but that's not entirely required (you could validate somewhere further down the pipeline, so long as you don't try to process the unvalidated data). There are several other ways to remotely load fonts, ranging from other document formats to the Web Open Font Format (http://www.w3.org/Submission/2010/03/) and some CSS in a web page. There's a decent chance that at least a few others are vulnerable to this exploit. However, there's been considerable research recently into Apple's PDF reader, with one researcher finding 60 different exploitable bugs in the software (though most of them probably aren't kernel). By comparison, the same testing data found three exploitable bugs in Adobe Reader.
Having font rendering/rasterizing in the kernel is... not brilliant, but not inherently a critical security flaw. It's certainly possible to do in userland, and probably safer, but displaying text is something that almost every app will need to do at some point, and putting it in the kernel will minimize memory footprint and maximize performance. The real WTF here is that the data isn't being validated extremely carefully as soon as it enters the kernel, and possibly before. When kernel-mode code starts parsing unvalidated data, the best you can really hope for is that you get a kernel-mode crash and are forced to do a hard reboot (on Windows, this would be a BSOD).
There's no place I could be, since I've found Serenity...
Not only is it native, it's really, really insecure. A security researcher named Charlie Miller wrote a 5-line Python script to generate fuzzed (slightly corrupted) PDF files from valid templates. He created roughly 2.8 million of these, and then ran them through Apple's Preview program, and through Adobe Reader. His findings:
0.09% crash rate on Reader, and 4 exploitable bugs found.
5.6% crash rate (52x as many), and 61 exploitable bugs found (15x as many).
When your security is more than an order of magnitude worse than Adobe's, you've got a major problem.
By the way, this is the guy who won an iPhone at Pwn2Own. He's presented at CanSecWest and Blackhat, and possibly elsewhere. He knows his stuff.
There's no place I could be, since I've found Serenity...
(Sorry to reply to myself, but the second line - the 5.6% crash rate and 61 exploitable bugs - is in Apple's Preview app. I also got the factor wrong (it's closer to 60x as many crashes). Sorry, I really need to stop posting on /. at work; I'm too distracted to double-check before hitting Submit.
There's no place I could be, since I've found Serenity...
This might be useless if the 3G/4G networks gets blasted by a ton of zombied iPhones and updates can't get to the phone so easily.
The updates comes through iTunes on the users home connection, not over the cell network.
Or possibly you could use this to disable the network entirely and essentially brick it until reset to default.
That implies an exponential spread which would mean a real virus. A website or two that spread malicious code would be unable to have this effect. There's really not a good way you could get a virus going on the iPhone, it's not like they are listening to the internet at large for incoming data or have open ports you can do something with.
Besides, on AT&T, how would you be able to tell?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What about not including it by default, but not banning it either, and letting people install it if they choose to?
Dilbert RSS feed
Regarding 2), I think that would only be correct if virius was that masculine etc etc. But since everyone is talking about viruses, not viriuses, the term "virii" is pure retardation.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.