Apple has released a security patch to block hackers from gaining access to any iPhone, iPod Touch or iPad running the latest versions of their mobile operating system. That’s the good news. The bad: Users who have jailbroken their devices, hacking them in a legal but warranty-busting move to run unauthorized apps, will lose access to the unauthorized content.
Anyone who wants to jailbreak after updating will likely have a harder time of it, too, until hackers devise the next jailbreak technique.
Information about the security hole surfaced last week. The flaw allows hackers to get access to information stored on Apple’s mobile devices by putting a PDF file with hidden code onto a website and encouraging users to download the PDF. When users try to display the PDF, they see a “stack overflow” message, which then triggers the code inside the PDF to do a variety of damage, from deleting files to installing programs to monitor the user’s actions.
The security exploit was made available by a hacker who calls himself or herself “Comex,” who used it to create an easy-jailbreak program called “JailbreakMe 2.0.”
On Apple’s site, where the software fix is available, the company noted the “impact” of the security hole link: “Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution.” The fix is also available on iTunes as an update.
The bug might affect all devices running iOS versions 3.1.2 or later, the site said. The fix applies to users of the iPhone 3G and later devices who are using iOS 2.0 through iOS 4.01, and for second-generation and later iPod Touch users with iOS 2.1 through iOS 4.0 on their devices.
If you don’t have a chance to update, and you’re concerned about the bug, just know that “the easiest way to avoid this problem is by not going to any PDF links directly and not loading any PDF from any non-trusted source,” Gizmodo noted.
For most people, though, the best bet is to go ahead and update the device with the patch. Some reports Thursday morning indicate that the discoverer of the exploit has posted a link on Twitter to the virulent source code so that others can use it to hijack Apple’s mobile devices.