Processing .....please wait.. 
The article has been forwarded.... 
'iPhones Jailbreaking': Report unveils new PDF vulnerability
By siliconindia
|
Tuesday, 05 October 2010, 13:48 IST
Bangalore: Security firm Fortinet has shown a new vulnerability in its September 2010 Threat Landscape report that is being used to exploit Jailbroken Apple iPhones leveraging the PDF file format. Jailbreaking is a process that allows iPad, iPhone and iPod Touch users to install greater number of applications on their devices by unlocking the operating system.
Apple fixed the PDF vulnerability in iOS 4.0.2 and iPad 3.2.2 firmware few weeks back. The problem lies in the Compact Font Format, which is supported in popular document formats such as PDF. The exploit allows user to visit a web site JailbreakMe.com, which hosts an exploit code written by comex to bypass the digital code signatures used by Apple in all iDevices.
Derek Manky, Project Manager, Cyber Security and Threat Research, Fortinet said, "Once an iPhone, or any device, has been 'broken,' the door is open. The device may then execute code or function in a way it was not designed to do". Jailbroken devices can also run malicious applications, so it is plausible that a two-stage malware attack could occur, he added.
Jailbroken devices, according to Manky, are more vulnerable to malware attacks. Last year, Ikee worm targeted jailbroken iPhones and took advantage of Secure Shell or SSH service that uses default password to allow remote user logins.
There were a total of 62 vulnerabilities added to FortiGuard IPS coverage this period. Of these added vulnerabilities, 26 were reported to be actively exploited (41.9 percent).
Recently, Apple's second generation Apple TV has been jail broken with a new exploit called the 'Shatter', although the brains behind the break has admitted there is a 'long way to go' before putting apps on the device's memory.
Apple, on its part, has also ramped up its battle to prevent iPhone and iPod owners from jailbreaking their devices. The company has applied for a patent, titled "Systems and Methods for Identifying Unauthorized Users of an Electronic Device," that covers a series of security measures to automatically protect devices from thieves and other unauthorized users.
