This Week's Sponsor:

Winterfest 2024

The Festival of Artisanal Software

How To Prevent iOS From Automatically Loading PDFs [Vulnerability]

Last night JailbreakMe was released in the wild. As we reported, it’s one of the simplest jailbreak tools ever made, as it requires only one slide in Mobile Safari to install Cydia on your device. You visit a link, slide, and wait. As we also reported, though, the exploit seems to based on a PDF vulnerability in iOS: the iPhone automatically downloads PDF files, and Comex injected the jailbreak code in a PDF file.

Update #1: It’s not a PDF header issue, it’s the FlateDecode stream section.

Update #2: Charlie Miller says it’s not the FlateDecode stream section either (the bug Huang suggested it’s in Adobe’s renderer, not Apple’s), it’s a PDF font bug: [via DF]

“Starting to get a handle on jailbreakme.com exploit. Very beautiful work. Scary how it totally defeats Apple’s security architecture.”


Like I said, it’s pretty great for jailbreakers - but for “normal” people and Apple this is a serious threat to security.

So now that you’ve jailbroken your device, wouldn’t it be best to fix this hole, in order to prevent malicious softwares to land on your phone by using the same technique?

[Check out http://www.macstories.net/tag/jailbreak/ for our full Cydia / Jailbreak coverage]


Tweeted by @cdevwill earlier today, all you have to do is download this .deb file and open it on your device using either Terminal from your Mac, or iFile on the iPhone. Just download it and place it in /var/mobile.

- Using Terminal:

ssh root@your IP address

alpine

dpkg -i file.deb

Where “alpine” is the default password you’ll get after installing Open SSH from Cydia and “your IP address” is located under Settings - > Wifi - > active wifi connection.

- Using iFile:

Navigate to /var/mobile and double tap on the .deb file to install it.

Please be aware that this won’t fix the issue, but it’ll simply ask you if you really want to open a .PDF every single time. If the source is trusted, you can confirm. But if you happen to visit a website that tries to install malicious stuff on your iPhone using @comex’s method, then you’ll be able to kill it.

Apple will surely address the bug in a future iOS release, but if you want to be safe right now - give it a try.

Join

Access Extra Content and Perks

Founded in 2015, Club MacStories has delivered exclusive content every week for nearly a decade.

What started with weekly and monthly email newsletters has blossomed into a family of memberships designed every MacStories fan.

Learn more here and from our Club FAQs.

Club MacStories: Weekly and monthly newsletters via email and the web that are brimming with apps, tips, automation workflows, longform writing, early access to the MacStories Unwind podcast, periodic giveaways, and more;

Club MacStories+: Everything that Club MacStories offers, plus an active Discord community, advanced search and custom RSS features for exploring the Club’s entire back catalog, bonus columns, and dozens of app discounts;

Club Premier: All of the above and AppStories+, an extended version of our flagship podcast that’s delivered early, ad-free, and in high-bitrate audio.

Federico is the founder and Editor-in-Chief of MacStories, where he writes about Apple with a focus on apps, developers, iPad, and iOS productivity. He founded MacStories in April 2009 and has been writing about Apple since. Federico is also the co-host of AppStories, a weekly podcast exploring the world of apps, Unwind, a fun exploration of media and more, and NPC: Next Portable Console, a show about portable gaming and the handheld revolution.

@viticci
@viticci
@[email protected]
@viticci.macstories.net
[email protected]