Blog Post

Apple Releases iOS 4.0.2 and 3.2.2, Fixes PDF Exploit

Apple (s aapl) has just released iOS 4.0.2 for iPhone and iPod touch and iOS 3.2.2 for iPad through iTunes. This update plugs a security hole that would allow malicious PDF files to compromise iOS.

The PDF security hole was used in the JailbreakMe website so that users could jailbreak their iPhones without running any special software; all they had to do was download a specially-created PDF file. When Mobile Safari loads the PDF and reads the font section, it incorrectly executes the code inside the font section which takes advantage of an exploit to crack iOS.

JailbreakMe was fairly safe in that it leveraged existing techniques to jailbreak the iPhone. The real problem with this PDF exploit is that it’s easy to create a web page that would deceive the user into opening a PDF file in Mobile Safari which could do something more harmful.

Apple took a little over a week to roll out a fix for this exploit. Not bad when you consider the number of devices affected (various iPod touch and iPhone models) and the amount of testing that goes into a firmware update (even a minor one).

The update is rather large (almost 580MB for the iPhone 4) because it contains the full firmware image. You can download the update by connecting your iPhone or iPod touch to your computer running iTunes and clicking on “Check for Update.”

I suppose this points out a weakness in Apple’s system for pushing updates. There’s no way to update your iPhone or iPod touch without a desktop computer running iTunes. While it may seem impossible to those of us who read TheAppleBlog, many people rarely connect their iPhones to their computer and download apps and such from the device itself. Apple has relied on sending text messages to notify iPhone customers of important updates in the past, but I’m not aware of any method to send notifications to iPod touch users.

Of course, if you wanted to jailbreak your iPhone, then be sure to avoid the update. You may want to look into a Cydia app that prompts you before opening a PDF file just to warn you of the risk and make sure you wanted to do so.

Related GigaOM Pro Research: Mobile OSes Are No Longer Just About Mobile

4 Responses to “Apple Releases iOS 4.0.2 and 3.2.2, Fixes PDF Exploit”

  1. I trust Apple can solve this problem, but users who have jailbroken their devices, hacking them legally but warranty-busting move to run unauthorized apps, will lose access to the unauthorized content. I’ve mean to install iOS 4 on my 3GS to get multitasking with it. But now I’m thinking about it. I just want to enjoy it in security. I prefer using third party software like ifunia on my mac for my iphone 3GS, to install apps directly in it.

  2. This update method is a problem for iPad owners too. I never connect my iPad to a computer. I thought the whole design was focused on using the cloud for storage, file transfers, etc.

    Hope they come up with a solution, even if it means buying a MobileMe account.