Thursday, July 7, 2011

iPhone hacked with zero-day font vulnerability

Apple’s newest iPhone devices have been hacked with a zero-day font vulnerability in the latest iteration of the JailbreakMe.com project.
The JailbreakMe.com exploit allows the automated jailbreaking of iPhone/iPad/iPod Touch devices from a specially created Web site.
It is essentially a drive-by download attack that exploits the way Apple’s mobile operating system processes certain fonts.  Technical details of the vulnerability are not yet know.


It is likely being combined with a second privilege escalation bug to escape the iOS sandbox, much like the first version of the jailbreak exploit.   According to “Comex,” the hacker behind the site, the exploit defeats ASLR (Address Space Layout Randomization), a key anti-exploit mechanism.
Along with the jailbreak exploit, “Comex” also released a patch for the main vulnerability.
“Due to the nature of iOS, this patch can only be installed on a jailbroken device.   Until Apple releases an update, jailbreaking will ironically be the best way to remain secure,” he explained.

No comments:

Post a Comment