Last week Germany's Federal Office for Information Security issued a warning claiming that a security hole in several versions of iOS leaves users vulnerable to malicious code contained in infected PDF files.
The exploit, originally uncovered by a team of hackers at JailbreakMe.com, grants the hacker administration privileges over Apple's devices, giving access to passwords, banking information, email, contact information and even allows for telephone conversation interception... all of which is undetected by the user. So far, the only available patch released to resolve the issue is for jailbroken Apple devices. And so far, there have been no reports of hackers actually taking advantage of this newly-discovered exploit.
"Had this exploit been released by a malicious party, it could have been used to hijack personal information on the device, install malware, surveil the user by tracking their GPS information, access the camera and/or microphone, or a perform a myriad of other nefarious tasks," said iPhone hacker and data forensics analyst Jonathan Zdziarski.
But Apple claims that it's hard at work on a fix. "Apple takes security very seriously, we're aware of this reported issue and developing a fix that will be available to customers in an upcoming software update," the company told The Wall Street Journal in a statement. In the meantime, Apple suggests that users refrain from downloading PDF files until the issues is resolved.
The vulnerability was originally discovered after the latest release of JailbreakMe's software (via a PDF no less) was made available on its website. Downloadable only when visiting the site via an Apple device, v3.0 exploits a vulnerability related to how the iOS version of Safari renders PDF pages. This brought security firm Sophos to full red alert status.
"If visiting the JailbreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "If they exploited the same vulnerability in a copy-cat maneuver, cybercriminals could create booby-trapped Web pages that could--if visited by an unsuspecting iPhone, iPod Touch, or iPad owner--run code on visiting devices."
Gizmodo points out that variants of this browser-based exploit has been around since 2007. In iOS v1.1.1 it appeared as a TIFF rendering exploit and then graduated to a PDF rendering exploit in v2.0 and v4.0. Now the problem reportedly resides in versions 4.3 through 4.3.3, and even includes the new and sparkly iPad 2 tablet.
So far the problem seems to only exist when viewing PDFs within Safari. Currently there are both free and paid apps that can read PDF files although none of them are officially sanctioned by Adobe.