1. TheScionicMan's Avatar
    Aug 3, 2010 11:41 AM Right now, if you visit a web page and load a simple PDF file, you may give total control of your iPhone, iPod touch, or iPad to a hacker. The security bug affects all devices running iOS 3.1.2 and higher.

    Update: Initially we thought that this exploit only effected iOS4 devices, but it turns out all iPhones, iPod Touches and iPads running 3.1.2 and higher are susceptible.

    The vulnerability is easily exploitable. In fact, the latest one-click, no-computer-required Jailbreak solution for iOS 4 devices uses this same method to break Apple's own security (although in a completely benign way for the user).
    How it works

    It just requires the user to visit a web address using Safari. The web site can automatically load a simple PDF document, which contains a font that hides a special program. When your iOS device tries to display the PDF file, that font causes something called stack overflow, a technical condition that allows the secret ninja code inside the font to gain complete control of your device.

    The result is that, without any user intervention whatsoever, that program can do whatever it wants inside your iPhone, iPod touch or iPad. Anything you can imagine: Delete files, transmit files, install programs running on the background that can monitor your actions... anything can be done.
    Apple Security Breach Gives Complete Access to Your iPhone
    Last edited by TheScionicMan; 08-03-10 at 07:44 PM.
    08-03-10 07:42 PM
  2. LazyStarGazer's Avatar
    I would be concerned about this except for a couple of things:

    1. I've jailbroken my 3GS, and installed 'PDF Loading Warner' from Cydia.
    It is NOT a fix or a patch. It merely tells you if someone else is potentially trying to exploit the same vulnerability.

    2. I generally go to established, reputable sites only on my devices browser. Nonetheless, I plan on being a little more cautious until Apple fixes this.
    (and screws up my JB at the same time).
    Last edited by LazyStarGazer; 08-03-10 at 10:47 PM.
    08-03-10 10:44 PM
  3. Entertainment72's Avatar
    I've downloaded iOS 4.1 beta 3 which addresses this breach. Apple is close to releasing 4.1 and it's much better than 4.0.1, address many bugs and applies some patches as well.
    08-03-10 10:47 PM
  4. weblou's Avatar
    Do you know what else they are going to add in this update? Maybe FaceTime on 3G

    I've downloaded iOS 4.1 beta 3 which addresses this breach. Apple is close to releasing 4.1 and it's much better than 4.0.1, address many bugs and applies some patches as well.
    Posted from my CrackBerry at wapforums.crackberry.com
    08-03-10 11:20 PM
  5. stuaw11's Avatar
    Do you know what else they are going to add in this update? Maybe FaceTime on 3G



    Posted from my CrackBerry at wapforums.crackberry.com
    Doubtful on the Facetime, but there is a Cydia app that lets you do that over 3G.


    Generally, this isnt that big a deal. Its been around since 3.1.2 and you haven't heard of one person being attacked with this hole.

    People just like to stir paranoia when something comes into the spotlight like the iphone 4 jailbreak. It means nothing, the hole is in jailbroken and non-jailbroken phones since 3.1.2 to 3.1.3 to 4.0 to 4.01 and I've never heard of anyone being attacked with this exploit to date.
    08-03-10 11:25 PM
  6. LazyStarGazer's Avatar
    Maybe it will have a native version of 3G Unrestrictor.
    Just to **** off AT&T.
    08-03-10 11:25 PM
  7. LazyStarGazer's Avatar
    Doubtful on the Facetime, but there is a Cydia app that lets you do that over 3G.


    Generally, this isnt that big a deal. Its been around since 3.1.2 and you haven't heard of one person being attacked with this hole.

    People just like to stir paranoia when something comes into the spotlight like the iphone 4 jailbreak. It means nothing, the hole is in jailbroken and non-jailbroken phones since 3.1.2 to 3.1.3 to 4.0 to 4.01 and I've never heard of anyone being attacked with this exploit to date .
    Maybe no one knew about it until Comex exploited it.
    08-03-10 11:28 PM
  8. Entertainment72's Avatar
    Do you know what else they are going to add in this update? Maybe FaceTime on 3G



    Posted from my CrackBerry at wapforums.crackberry.com
    I doubt it.
    08-04-10 08:58 AM
  9. avt123's Avatar
    Do you know what else they are going to add in this update? Maybe FaceTime on 3G



    Posted from my CrackBerry at wapforums.crackberry.com
    Can't. At 3MB/min this will NEVER happen. AT&Ts network would get killed. Well, I think any network would get killed with this type of data consumption.

    FaceTime 3G data consumption tested: about 3MB per minute -- Engadget
    08-04-10 12:59 PM
  10. weblou's Avatar
    yea i could see why the carries don't want this. I guess who ever wants it could JB there pone and use it.
    08-04-10 01:20 PM
  11. TheScionicMan's Avatar
    This hole seems ripe for a shortened URL attack. Get something with a shortened URL to go viral on Twitter, like those Kayne West Tweets as New Yorker cartoon captions. It could get spread very easily because it wouldn't do anything on any other smartphone to send up a red flag...
    08-04-10 06:41 PM
LINK TO POST COPIED TO CLIPBOARD