Apple's newest iPhone devices have been hacked with a zero-day font vulnerability in the latest iteration of the JailbreakMe.com project.
The JailbreakMe.com exploit allows the automated jailbreaking of iPhone/iPad/iPod Touch devices from a specially created Web site.
It is essentially a drive-by download attack that exploits the way Apple’s mobile operating system processes certain fonts. Technical details of the vulnerability are not yet know.
It is likely being combined with a second privilege escalation bug to escape the iOS sandbox, much like the first version of the jailbreak exploit. According to "Comex," the hacker behind the site, the exploit defeats ASLR (Address Space Layout Randomization), a key anti-exploit mechanism.
Along with the jailbreak exploit, "Comex" also released a patch for the main vulnerability.
"Due to the nature of iOS, this patch can only be installed on a jailbroken device. Until Apple releases an update, jailbreaking will ironically be the best way to remain secure," he explained.
On the issue of releasing exploit for zero-day flaws, here's a note from the site's FAQ:
I did not create the vulnerabilities, only discover them. Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run.