It hasn’t been a good couple of weeks for Apple on the security front.
In the latest bit of bad news, a flaw in the way that iPhones and other devices running iOS show Adobe and other PDF files is allowing Websites that display specially crafted PDFs to take control of the gadgets.
So far, the best-known site using the technique, called jailbreakme, is only acting as a public service: iPhone owners who visit and click a button can free their phones from AT&T’s network and to install applications that aren’t sanctioned by Apple.But security researchers said on Tuesday that the same method could give malicious websites–which might be pretty effective if they pretended to be extending jailbreak services–control over the phones, with the ability to steal or delete contracts and other information.
“We are aware of these reports and we are investigating” said Apple spokeswoman Natalie Harrison, in a comment so effusive by Apple standards that it strongly suggests a fix is in the works.
The main problem has to do with the way Apple’s Safari mobile browser interprets fonts, but McAfee researcher Dave Marcus said a second problem, in the software kernel, allows attackers to escalate their power after gaining access.
There were no immediate reports of iPhone takeovers. But there is a good possibility that there will be some before Apple gets its patch out.
The bug follows the publication on July 21of a vulnerability in the way Safari stores a Mac user’s name, company, address and email address and offers it up for easy entry on Web forms.
Longtime researcher Jeremiah Grossman showed off a simple script that rotates through all 26 possible first letters and triggers Apple’s overeager autofill function, allowing websites to capture the personal data with minimal effort. Apple released an update for Safari that fixed the problem on July 28.
Which brings us to last month’s report (non-jailbreaking PDF) from Secunia that found Apple accounted for the most reported vulnerabilities of any software vendor last year. That includes flaws in Quicktime and iTunes and doesn’t mean that Apple had the most severe flaws.
But it does provide added evidence that the greatest security problem with Apple might be the smugness of its users.
