Jailbreaking iPhones has been around for awhile but Comex’s 4.0 Jailbreakme.com is different in one huge way that shouldn’t sit well with you if you are on an iOS device. The jailbreak happens without any user intervention because of a security hole in iOS that allows a website to write data to your iPhone. Obviously if you can jailbreak an iPhone remotely, you can do just about anything else you want to it.
Your iOS device is insecure in such a big and obvious way right now. You should be extremely careful of what sites you visit.
MacStories details how a FlateDecode vulnerability is used as a PDF File embedded within a Web page (believe us, hackers already know this and are working on this as quickly as Apple is readying a fix). Basically iOS tries to parse the PDF file from the Web but, in doing so, it executes some code, that in this case allows you to jailbreak your device. It isn’t rocket science to have it do something completely different and much much worse. And there won’t be a slider that asks if it is OK.
Apple has to fix this almost immediately in an update. I imagine this is one of those “no one sleeps until an update is ready” type of moments in the iOS security team. Maybe not, but this is rather dangerous in the wild as it is.
Unfortunately, the reality is that not everyone updates their iPhone for every security risk. Even Steve Jobs was shown to be months behind security vulnerabilities on his iPhone. If Steve Jobs doesn’t keep his iPhone current, there are going to be lots of people out there who are susceptible for a long time. Corporate IT managers are going to have a great time rounding up mobile workforces and force updates. That sales guy in Europe? That’s just the beginning.
This has happened before without major incident:
The original iPhone jailbreak was a similar situation where a TIFF file format was exploited to gain control of the iPhone. However, that was a long time ago and a lot of iPhones have been sold since then. And iPods and iPads. The iOS is a much bigger target now and the rewards are much greater for hackers.
Ironically, one of the only ways to make sure your device is immune from such an attack is to jailbreak it and install a little code that will bring up a pop-up window before allowing the PDF to run on your computer. Pasted again from MacStories below.