iPhone hacked with zero-day font vulnerability

Summary:Apple's newest iPhone devices have been hacked with a zero-day font vulnerability in the latest iteration of the JailbreakMe.com project.

Apple's newest iPhone devices have been hacked with a zero-day font vulnerability in the latest iteration of the JailbreakMe.com project.

The JailbreakMe.com exploit allows the automated jailbreaking of iPhone/iPad/iPod Touch devices from a specially created Web site.

It is essentially a drive-by download attack that exploits the way Apple’s mobile operating system processes certain fonts.  Technical details of the vulnerability are not yet know.

It is likely being combined with a second privilege escalation bug to escape the iOS sandbox, much like the first version of the jailbreak exploit.   According to "Comex," the hacker behind the site, the exploit defeats ASLR (Address Space Layout Randomization), a key anti-exploit mechanism.

Along with the jailbreak exploit, "Comex" also released a patch for the main vulnerability.

"Due to the nature of iOS, this patch can only be installed on a jailbroken device.   Until Apple releases an update, jailbreaking will ironically be the best way to remain secure," he explained.

On the issue of releasing exploit for zero-day flaws, here's a note from the site's FAQ:

I did not create the vulnerabilities, only discover them.  Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable.  Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run.

Topics: iPhone, Mobility, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.