iPhone Jailbreak Uses a PDF Display Vulnerability 289
Posted
by
kdawson
from the get-out-of-jail-free dept.
from the get-out-of-jail-free dept.
adeelarshad82 writes "Latest reports indicate that the website that 'jailbreaks' iPhones, iPads, and iPod Touches does so by means of a PDF-based vulnerability in OS X. PDF parsing and rendering is a core feature of OS X, and there have been several other vulnerabilities in the past in iOS CoreGraphics PDF components." As Gruber points out, the proper term for this is not "jailbreak," but "remote code exploit in the wild."
Not a virus (Score:5, Informative)
Macs (and the iPhone) do not yet have any active viruses in the wild.
It does not mean they cannot get them; there just are none.
This jailbreak thing is indeed a real live exploit running in the wild, but it's a trojan (kind of) since you are asking it to do one thing (display a PDF) and it does another (jailbreak the phone).
In a way it should be labeled Malware, but that hardly seems an appropriate label since it's doing the user a favor...
So there is in fact a known exploit (this PDF bug) and one instance of something that exercises it. Very likely Apple will have this patched in pretty short order - what is really interesting to see is if there will be any "real" (read: malignant) exploits. My guess is probably not, since mobile platforms do not make great zombie systems to control the way desktops do.
If it were a real virus vector the story would be different as the lure of quickly taking over millions of devices would be very strong...
Jailbreak WARNING!!! (Score:4, Informative)
GSview (Score:3, Informative)
PostScript files may not render on certain devices, such as non-PostScript printers.
Any printer can be used as a PostScript printer if the PC connected to it is running an implementation of the PostScript language, which converts a PostScript file to a bitmap image. See GSview [wisc.edu].
The new jailbreak is amazing (Score:4, Informative)
I came into the office this morning and noticed that a forums thread I monitor on jailbreaking had exploded over my long weekend. I checked the iPhone dev team blog and they explained that there is a new jailbreak that you can visit with the browser on your phone.
I navigated to the page on my phone and it said "swipe here to jailbreak".
I swiped.
It took about 5 minutes to jailbreak my phone and install the Cydia unofficial app store.
Simply amazing work. Once I had Cydia I installed ultrasn0w from the repository and now my phone is carrier unlocked.
Great job, hackers!
Re:Not a virus (Score:4, Informative)
If you don't consider a WORM a virus - than there isn't much in lines for Windows Viruses either these days. Almost everything else could be classified as trojan, worm, spyware, or other non-virus malware. I haven't had to clean a virus in a LONG time.
Apple does not use Adobe Reader for PDF (Score:5, Informative)
Apple does not use Adobe Reader for PDF. I thought everyone knew this by now. Apparently not.
Re:Duh... pointed out ages ago (Score:5, Informative)
Re:So what is it exactly? (Score:5, Informative)
It's a bug in the font rendering component, which apparently lives in kernel space. PDFs are allowed to embed fonts, and apparently Preview doesn't verify the font data before tossing it to the renderer. Apparently the renderer doesn't verify it either, because instead of rejecting the data as invalid, it gives the attacker completely unrestricted control over the software.
PDFs having embedded fonts is a very useful and entirely reasonable feature. It would help if Preview validated the fonts, but that's not entirely required (you could validate somewhere further down the pipeline, so long as you don't try to process the unvalidated data). There are several other ways to remotely load fonts, ranging from other document formats to the Web Open Font Format (http://www.w3.org/Submission/2010/03/) and some CSS in a web page. There's a decent chance that at least a few others are vulnerable to this exploit. However, there's been considerable research recently into Apple's PDF reader, with one researcher finding 60 different exploitable bugs in the software (though most of them probably aren't kernel). By comparison, the same testing data found three exploitable bugs in Adobe Reader.
Having font rendering/rasterizing in the kernel is... not brilliant, but not inherently a critical security flaw. It's certainly possible to do in userland, and probably safer, but displaying text is something that almost every app will need to do at some point, and putting it in the kernel will minimize memory footprint and maximize performance. The real WTF here is that the data isn't being validated extremely carefully as soon as it enters the kernel, and possibly before. When kernel-mode code starts parsing unvalidated data, the best you can really hope for is that you get a kernel-mode crash and are forced to do a hard reboot (on Windows, this would be a BSOD).
Re:PDF? (Score:5, Informative)
Not only is it native, it's really, really insecure. A security researcher named Charlie Miller wrote a 5-line Python script to generate fuzzed (slightly corrupted) PDF files from valid templates. He created roughly 2.8 million of these, and then ran them through Apple's Preview program, and through Adobe Reader. His findings:
0.09% crash rate on Reader, and 4 exploitable bugs found.
5.6% crash rate (52x as many), and 61 exploitable bugs found (15x as many).
When your security is more than an order of magnitude worse than Adobe's, you've got a major problem.
By the way, this is the guy who won an iPhone at Pwn2Own. He's presented at CanSecWest and Blackhat, and possibly elsewhere. He knows his stuff.
Re:The new jailbreak is amazing (Score:2, Informative)
Uhm, if you read on the jailbreak page, after the phone is jailbroken, and Cydia installed, they (the hackers who wrote the exploit) then fix the flaw in safari so that no more code can be run to root the phone.
So, yes. It is a benefit, since there is obviously a serious flaw in the os & jailbreaking it fixes the flaw.
Oh yeah, and no mms or bookmark issues for me either. It Just Works.
jaz
Re:PDF? (Score:4, Informative)
(Sorry to reply to myself, but the second line - the 5.6% crash rate and 61 exploitable bugs - is in Apple's Preview app. I also got the factor wrong (it's closer to 60x as many crashes). Sorry, I really need to stop posting on /. at work; I'm too distracted to double-check before hitting Submit.