Security threat with iOS 4 and iPad and pdf's

vaughnmr · 08-03-2010, 11:53 AM

Oddly enough, this is how the new jailbreak works.

http://gizmodo.com/5603319/new-apple...to-your-iphone

murraypaul · 08-03-2010, 12:06 PM

Interesting how the same exploits turn up again and again.
You could 'jailbreak' a PSP with a TIFF exploit, and an XBox with a font one.

kjk · 08-03-2010, 12:09 PM

Not that odd, actually-almost all the jailbreaks are based on security holes in the OS. This one seems pretty serious though.

vaughnmr · 08-03-2010, 12:12 PM

Quote:

Originally Posted by kjk

Not that odd, actually-almost all the jailbreaks are based on security holes in the OS. This one seems pretty serious though.

Is it in the iOS or is this an Adobe thing?

kjk · 08-03-2010, 12:16 PM

Quote:

Originally Posted by vaughnmr

Is it in the iOS or is this an Adobe thing?

Apple uses their own PDF stuff, not Adobes-pretty sure this is their issue.

Bremen Cole · 08-04-2010, 06:26 AM

After listening for years to Apple folks talking about how secure their products were, it is interesting that the more popular Apple becomes, the more security issues they have. Windows has been maligned for decades for this kind of thing. Looks like folks like me were right, the hackers didn't mess with Apple because of their relative tiny market share. Looks like that's changing.

Since I have never used virus or adware "protection" in 20 years of Windows use, I'm not to worried about stuff like this. I even have the firewall/defense crap turned off in Windows, and never had any problem..... It actually looks like something like this could be more dangerous to someone like me than the run of the mill Windows virus....

vaughnmr · 08-04-2010, 10:18 AM

I believe a lot of the "security" was because they were in the minority and weren't being targeted. With the popularity of iOS and Android increasing, I suspect a lot of folks will be caught unaware.

John F · 08-04-2010, 10:27 AM

Could someone explain (at a high level) how this security hole could cause trouble. They mention "stack overflow" and "code in an embedded font" in the article, but I don't see why that code would be executed.

I'm a high level programmer, so you don't dumb it down too much.

kjk · 08-04-2010, 11:03 AM

Quote:

Originally Posted by John F

Could someone explain (at a high level) how this security hole could cause trouble. They mention "stack overflow" and "code in an embedded font" in the article, but I don't see why that code would be executed.

I'm a high level programmer, so you don't dumb it down too much.

http://www.f-secure.com/weblog/archives/00002002.html
http://www.vupen.com/english/advisories/2010/1992

Quote:

The first issue is caused by a memory corruption error when processing Compact Font Format (CFF) data within a PDF document, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page using Mobile Safari.

The second vulnerability is caused by an error in the kernel, which could allow attackers to gain elevated privileges and bypass sandbox restrictions.

Note: These flaws are currently being exploited by jailbreakme to remotely jailbreak Apple devices. The website redirects the browser to the appropriate PDF exploit file depending on the device model and version and then executes a first stage payload. Once done, a second stage payload is executed to gain root privileges on the device by exploiting the kernel vulnerability.

Maggie Leung · 08-04-2010, 01:51 PM

If a device was hacked, how could a non-techie tell? Would there be signs, or do you have to run some sort of diagnostic?

=X= · 08-04-2010, 03:02 PM

Quote:

Originally Posted by Maggie Leung

If a device was hacked, how could a non-techie tell? Would there be signs, or do you have to run some sort of diagnostic?

It's not easy to tell even for tech savvy folks. Usually only well know hacks are known but the good ones go some time w/o visibility. The best solution for non tech folks is virus scanners, but there is none available for phones.

But I'm thinking in a few years, with the growth of smart phones that should change.

This is Blackberrys biggest selling point, the security on those phones is excellent.

=X=

Maggie Leung · 08-04-2010, 03:04 PM

Quote:

Originally Posted by =X=

It's not easy to tell even for tech savvy folks. Usually only well know hacks are known but the good ones go some time w/o visibility. The best solution for non tech folks is virus scanners, but there is none available for phones.

But I'm thinking in a few years, with the growth of smart phones that should change.

This is Blackberrys biggest selling point, the security on those phones is excellent.

=X=

Rats, thought that might be the case. Thanks for the explainer.

vaughnmr · 08-04-2010, 04:49 PM

The government of Germany is now warning about two serious threats in Apple software:

http://www.cbsnews.com/stories/2010/...tionContent.11

Maggie Leung · 08-04-2010, 05:02 PM

Quote:

Originally Posted by vaughnmr

The government of Germany is now warning about two serious threats in Apple software:

http://www.cbsnews.com/stories/2010/...tionContent.11

Sounds like these are the same two weaknesses mentioned earlier in this thread.

toddos · 08-05-2010, 04:37 AM

Once you've used this security hole to jailbreak your device, install the PDF Loading Warner tweak from Cydia to prevent other sites from exploiting the hole silently. This will make Safari warn you any time it's about to open a PDF file, so if you didn't just explicitly tell it to open a PDF you would've been hacked without this in place (of course if you say "Yes", you'll be hacked anyway).

08-03-2010, 11:53 AM	#1
vaughnmr Ebook Reader Posts: 605 Karma: 3205128 Join Date: Nov 2009 Location: Texas Device: Kindle 3, HTC Evo, HTC View	Security threat with iOS 4 and iPad and pdf's Oddly enough, this is how the new jailbreak works. http://gizmodo.com/5603319/new-apple...to-your-iphone

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
PDF's in kindle app on ipad????	mack 120	Amazon Kindle	5	08-13-2010 07:27 PM
iOS 4.0.2 (iPhone) 3.22(iPad) updates now available	kjk	Apple Devices	5	08-12-2010 10:21 PM
FBI investigating iPad 3G security breach / FCC also concerned	=X=	News	35	06-19-2010 01:47 PM
iPad BoingBoing: Report: AT&T security breach exposed 114k iPad users	kjk	Apple Devices	9	06-14-2010 12:09 AM
Monthly Magazine PDF's - Is The iPad My Only Option??	Rex32	Which one should I buy?	2	05-30-2010 07:01 AM

08-03-2010, 12:06 PM	#2
murraypaul Interested Bystander Posts: 3,725 Karma: 19728152 Join Date: Jun 2008 Device: Note 4, Kobo One	Interesting how the same exploits turn up again and again. You could 'jailbreak' a PSP with a TIFF exploit, and an XBox with a font one.

08-03-2010, 12:09 PM	#3
kjk . Posts: 3,408 Karma: 5647231 Join Date: Oct 2008 Device: never enough	Not that odd, actually-almost all the jailbreaks are based on security holes in the OS. This one seems pretty serious though.

08-04-2010, 06:26 AM	#6
Bremen Cole Wizard Posts: 1,115 Karma: 2718 Join Date: Dec 2009 Location: Texas Device: iPad	After listening for years to Apple folks talking about how secure their products were, it is interesting that the more popular Apple becomes, the more security issues they have. Windows has been maligned for decades for this kind of thing. Looks like folks like me were right, the hackers didn't mess with Apple because of their relative tiny market share. Looks like that's changing. Since I have never used virus or adware "protection" in 20 years of Windows use, I'm not to worried about stuff like this. I even have the firewall/defense crap turned off in Windows, and never had any problem..... It actually looks like something like this could be more dangerous to someone like me than the run of the mill Windows virus....

08-04-2010, 10:18 AM	#7
vaughnmr Ebook Reader Posts: 605 Karma: 3205128 Join Date: Nov 2009 Location: Texas Device: Kindle 3, HTC Evo, HTC View	I believe a lot of the "security" was because they were in the minority and weren't being targeted. With the popularity of iOS and Android increasing, I suspect a lot of folks will be caught unaware.

08-04-2010, 10:27 AM	#8
John F Grand Sorcerer Posts: 7,174 Karma: 63764653 Join Date: Feb 2009 Device: Kobo Glo HD	Could someone explain (at a high level) how this security hole could cause trouble. They mention "stack overflow" and "code in an embedded font" in the article, but I don't see why that code would be executed. I'm a high level programmer, so you don't dumb it down too much.

08-04-2010, 01:51 PM	#10
Maggie Leung Wizard Posts: 1,449 Karma: 58383 Join Date: Jul 2009 Device: Kindle, iPad	If a device was hacked, how could a non-techie tell? Would there be signs, or do you have to run some sort of diagnostic?

08-04-2010, 04:49 PM	#13
vaughnmr Ebook Reader Posts: 605 Karma: 3205128 Join Date: Nov 2009 Location: Texas Device: Kindle 3, HTC Evo, HTC View	The government of Germany is now warning about two serious threats in Apple software: http://www.cbsnews.com/stories/2010/...tionContent.11

08-05-2010, 04:37 AM	#15
toddos Guru Posts: 695 Karma: 822675 Join Date: May 2010 Device: Kobo Aura, Nokia Lumia 920 (Freda)	Once you've used this security hole to jailbreak your device, install the PDF Loading Warner tweak from Cydia to prevent other sites from exploiting the hole silently. This will make Safari warn you any time it's about to open a PDF file, so if you didn't just explicitly tell it to open a PDF you would've been hacked without this in place (of course if you say "Yes", you'll be hacked anyway).

Advert

Advert