Attackers likely to pounce on iOS flaws as Apple readies fixjailbreak the latest iPhone, researchers are warning that attackers soon will exploit the bugs for more malicious purposes.
“My educated guess is that within a week we will see an iPhone worm,” Mikko Hyppönen, chief research officer at anti-virus firm F-Secure, told SCMagazineUS.com on Thursday.
The jailbreak hack is a complicated exploit to perpetrate, but now that details have been published online, an attacker easily could craft a more malevolent attack, Hyppönen said.
Over the weekend, a group calling itself the Dev-Team released the jailbreak hack, which works on the iPhone 4 and other versions of the phone in addition to iPad and iPod Touch devices.
The hack makes use of two unique vulnerabilities in Apple's mobile operating system, iOS, to jailbreak the devices, thereby allowing users to install unapproved applications. The exploit targets a PDF font parsing vulnerability that allows for the execution of code. A second vulnerability, caused by an error in the kernel, is then used to elevate root privileges on the device.
But the same flaws also could be leveraged to remotely install malware on users' machines by tricking them into visiting a specially crafted website via Mobile Safari, according to an advisory from vulnerability management firm Vupen Security.
Successful exploitation could allow an attacker to “do anything at all on the phone,” including make phone calls, eavesdrop on calls, steal data on the phone or destroy data, Hyppönen said.
“Right now there is no real problem," he added. "There is the potential for major problems, but nothing bad has happened yet.”
Security researchers at Symantec, McAfee and Sophos all have expressed similar worries.
“What concerns me, and others in the security community, is that if simply visiting a website with your iPhone can cause it to be jailbroken, just imagine what else hackers could do by exploiting this vulnerability,” Graham Cluley, senior technology consultant at Sophos wrote in a blog post on Wednesday. “Cybercriminals would be able to create booby-trapped web pages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user's permission.”
An Apple spokeswoman told SCMagazineUS.com on Wednesday that the company is aware of the issue and has developed a fix, which will be available in an upcoming software update, though she could not say when.
All iPhone users should be cautious when visiting unsolicited websites, even if they have not jailbroken their device, Kevin Haley, Symantec's director of security response, wrote in a blog post on Tuesday.
Meanwhile, some early reports about the jailbreak hack incorrectly stated that it relied on a flaw in the Adobe PDF specifications. As a result, Adobe received a “significant number of inquiries” from customers asking whether the so-called “iPhone jailbreak PDF vulnerability” affects Adobe Reader and Acrobat, Brad Arkin, director of product security and privacy at Adobe, wrote in a blog post Wednesday.
“All of our analysis to date indicates that the vulnerability used in the iPhone jailbreak does not impact Adobe Reader or Acrobat,” Arkin wrote.
However, Adobe this week did confirm a separate but similar flaw in Reader and Acrobat that was disclosed last week at the Black Hat Conference in Las Vegas. The flaw, caused by an integer overflow error in the way the PDF viewer parses fonts, was revealed by Charlie Miller, principal security analyst at consulting firm Independent Security Evaluators, during a Black Hat presentation.
There are no reports of that bug being exploited in the wild. Adobe has said it is working on a fix.