Flaw in rendering PDFs allows iPhone takeovers

August 4, 2010 12:20 am by Joseph Menn

It hasn’t been a good couple of weeks for Apple on the security front.

In the latest bit of bad news, a flaw in the way that iPhones and other devices running iOS show Adobe and other PDF files is allowing Websites that display specially crafted PDFs to take control of the gadgets.

So far, the best-known site using the technique, called jailbreakme, is only acting as a public service: iPhone owners who visit and click a button can free their phones from AT&T’s network and to install applications that aren’t sanctioned by Apple.But security researchers said on Tuesday that the same method could give malicious websites–which might be pretty effective if they pretended to be extending jailbreak services–control over the phones, with the ability to steal or delete contracts and other information.

“We are aware of these reports and we are investigating” said Apple spokeswoman Natalie Harrison, in a comment so effusive by Apple standards that it strongly suggests a fix is in the works.

The main problem has to do with the way Apple’s Safari mobile browser interprets fonts, but McAfee researcher Dave Marcus said a second problem, in the software kernel, allows attackers to escalate their power after gaining access.

There were no immediate reports of iPhone takeovers. But there is a good possibility that there will be some before Apple gets its patch out.

The bug follows the publication on July 21of a vulnerability in the way Safari stores a Mac user’s name, company, address and email address and offers it up for easy entry on Web forms.

Longtime researcher Jeremiah Grossman showed off a simple script that rotates through all 26 possible first letters and triggers Apple’s overeager autofill function, allowing websites to capture the personal data with minimal effort. Apple released an update for Safari that fixed the problem on July 28.

Which brings us to last month’s report (non-jailbreaking PDF) from Secunia that found Apple accounted for the most reported vulnerabilities of any software vendor last year. That includes flaws in Quicktime and iTunes and doesn’t mean that Apple had the most severe flaws.

But it does provide added evidence that the greatest security problem with Apple might be the smugness of its users.

Posted in Tech |
Share
Share this on
Print
Share
Share this on
Print

FT techfeed

Tech Blog

Analysis & reviews

About this blog Blog guide
Richard Waters, Chris Nuttall and April Dembosky in the FT's San Francisco bureau share their views - plus tech insights from Tim Bradshaw and Maija Palmer in London and Robin Kwong in Taipei.



Read about the authors


To comment, please register for free with FT.com and read our policy on submitting comments.

All posts are published in UK time.

Contact the FT Tech Hub team: richard.waters@ft.com, chris.nuttall@ft.com, april.dembosky@ft.com, maija.palmer@ft.com, robin.kwong@ft.com and tim.bradshaw@ft.com.

See the full list of FT blogs.

Archive

« Jul Sep »August 2010
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Tech analysis and reviews

Coding for dummies

Execs learn geek techniques

Time for smartwatches?

Sony synchronises watches with smartphones

Tags

advertising android apple AT&T Electronic Arts Europe Facebook funding google hacking hewlett-packard HP htc instagram intel iPad iphone IPO Jawbone Lenovo London megaupload microsoft Mobile Netflix Nintendo nokia nokia lumia patents privacy samsung smartphones social media social networking Sony SOPA Spotify story of the week Tablets Toshiba twitter venture capital Wikipedia Yahoo Zynga