Skip to main content

Apple Warns iOS Users Not to Download PDFs

Last week Germany's Federal Office for Information Security issued a warning claiming that a security hole in several versions of iOS leaves users vulnerable to malicious code contained in infected PDF files.

The exploit, originally uncovered by a team of hackers at JailbreakMe.com, grants the hacker administration privileges over Apple's devices, giving access to passwords, banking information, email, contact information and even allows for telephone conversation interception... all of which is undetected by the user. So far, the only available patch released to resolve the issue is for jailbroken Apple devices. And so far, there have been no reports of hackers actually taking advantage of this newly-discovered exploit.

"Had this exploit been released by a malicious party, it could have been used to hijack personal information on the device, install malware, surveil the user by tracking their GPS information, access the camera and/or microphone, or a perform a myriad of other nefarious tasks," said iPhone hacker and data forensics analyst Jonathan Zdziarski.

But Apple claims that it's hard at work on a fix. "Apple takes security very seriously, we're aware of this reported issue and developing a fix that will be available to customers in an upcoming software update," the company told The Wall Street Journal in a statement. In the meantime, Apple suggests that users refrain from downloading PDF files until the issues is resolved.

The vulnerability was originally discovered after the latest release of JailbreakMe's software (via a PDF no less) was made available on its website. Downloadable only when visiting the site via an Apple device, v3.0 exploits a vulnerability related to how the iOS version of Safari renders PDF pages. This brought security firm Sophos to full red alert status.

"If visiting the JailbreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone," said Graham Cluley, senior technology consultant at Sophos, in a blog post. "If they exploited the same vulnerability in a copy-cat maneuver, cybercriminals could create booby-trapped Web pages that could--if visited by an unsuspecting iPhone, iPod Touch, or iPad owner--run code on visiting devices."

Gizmodo points out that variants of this browser-based exploit has been around since 2007. In iOS v1.1.1 it appeared as a TIFF rendering exploit and then graduated to a PDF rendering exploit in v2.0 and v4.0. Now the problem reportedly resides in versions 4.3 through 4.3.3, and even includes the new and sparkly iPad 2 tablet.

So far the problem seems to only exist when viewing PDFs within Safari. Currently there are both free and paid apps that can read PDF files although none of them are officially sanctioned by Adobe.

  • agoodyu
    Thank you for sharing this technology!!!!!
    Reply
  • alidan
    no one hacks macs/products in bad ways because they believe the mac users have suffered enough.
    Reply
  • guanyu210379
    As iPhone4 users you have to:
    1. Hold your iPhone4 in the right way.
    2. Live with iTunes handcuffs.
    3. Ávoid PDFs.
    4....what will come next??

    iPhone is really a good product, if I may say so.
    Reply
  • palladin9479
    So... the hacked phones already have an update that fixes the issue, but Apple doesn't know how to fix it and instead wants it's user to stop supporting Adobe's products? Right.....
    Reply
  • back_by_demand
    guanyu210379As iPhone4 users you have to:1. Hold your iPhone4 in the right way. 2. Live with iTunes handcuffs.3. Ávoid PDFs.4....what will come next??iPhone is really a good product, if I may say so./sarcasm?

    I would say it is a targetted campaign against Adobe by Apple.

    Adobe should retailate by no longer providing Mac supported versions of any of their software, lets see how long the industry continues to use Macs when all the expensive Pro tools used for content generation are PC exclusive.

    Apple would back down in good time.
    Reply
  • CsG_kieran_2
    I don't think Apple will ever pix this hole...They'll just wait for someone to get hacked and blame Adobe.
    Reply
  • lolyumadbro
    Android fanbois please see: http://www.tomsguide.com/us/DroidDream-Malware-Lookout-Android-Market-Bubble-buster,news-11830.html
    Reply
  • watcha
    'As iPhone4 users you have to:
    1. Hold your iPhone4 in the right way.
    2. Live with iTunes handcuffs.
    3. Ávoid PDFs.
    4....what will come next??

    iPhone is really a good product, if I may say so.'

    1 - No you don't. I can hold my phone any way I want to and it works fine. Flat out lies wont convince the educated majority, who actually own the phone.
    2 - You mean you have to install a program? That is shocking, I must say. I installed iTunes when I first bought my iphone but haven't used it since, perhaps you just haven't got the brains to work out how?
    3 - Avoid PDF's - fair enough, the one valid criticism, now (which has affected nobody). Lets compare that to the Android security problem where you couldn't use public internet FULL STOP without sharing all your details with the world.

    Bitter, bitter fool :-)
    Reply
  • kristoffe
    lolz, I have heard since 1989 how apple is pro for design, while of course printing color swatches for pattern generation... on a commodore amiga and thermal color printer. those were the 2ci 2cx designs apple had, which looked like ibm systems, haha. Then it just got more rabid over time. Anytime there was an advance in windows and or the same software released in the windows world, some rabid mac fanboy had to blabber something marketing related. Then I literally had a tech guy I knew there years later tell me Adobe CS1 rotated files on the new macs up to 40x faster than a windows system. so I went back to my P133 with 128mb ram, rotated a file exactly as he mentioned, and it was about 20-25 seconds FASTER than the pro series macs at the school the just bought.

    enter the world of dual processor pc systems, pii dual 300 supermicro boards, and then the p4,amd series counter parts, overclocking, quad displays etc. everything pc when built was far faster than anything apple could release. ever.

    now the true intel mac world, everything can be hackintoshed to do both. why does hackintoshing exist? because there is no real need ever to use a mac for editing video, audio, 3d, or design and nobody but the most foolish super ego issue people are going to drop $3000 for a laptop or desktop that has the same components as a tigerdirect quad core kit at $399.

    now that the apple marketshare is hitting harder and expanding, the hackers who rely on large targets like a shotgun spray does are finding it useful to target the iOS and os X. Apple pretends it doesn't happen and secretly has AV in it's OS. lolz. The main problem with Apple is it's marketing hype, the engineers and designers are top notch, parallel honestly to many companies like SONY and DELL. It's almost 99% marketing fluff and for 20 years now the company and it's mactard lemming followers are just cabbage patch doll collectors hoping nobody notices they are wearing the emporer's new clothing.

    nothing beats a graphic design company saying "oh well we use macs. we're designers" really? and you drool while reading mostly? Nothing Adobe runs any differently on WIN|MAC at all. Oh look type face conversion, 5 seconds. oh my, a spline. oh wow, a gradient. amazing, actionscript 3 text files, and wow AVI|MOV wrappers ontop of the real compression from various german algorithms. NOTHING is superior about macs, and now they're the target of every nasty hacker group out there.javascript:%20void(0);

    :) WIN.
    Reply
  • molo9000
    CsG_kieran_2I don't think Apple will ever pix this hole...They'll just wait for someone to get hacked and blame Adobe.
    The exploited vulnerability is apparently in a open source library called FreeType. It's neither Apple's nor Adobe's code.

    I wonder if other systems using FreeType are vulnerable, too.
    Reply