Yes, you read that right. Jailbreaking your iOS devices can make them more secure.
One of the reasons given by Apple for locking down the iOS platform is security. A locked down OS is more secure than one that isn’t because it doesn’t allow unsigned code to be run on the platform. But what happens when a zero-day vulnerability is discovered that allows the security system to be bypassed that will take days, maybe weeks, to be fixed by Apple has already been patched by the jailbreak community? This is when a jailbroken device becomes more secure than one protected by Apple’s security mechanisms.
And this is the situation that millions of iOS device owners find themselves in today. Yesterday the JailbreakMe.com website was resurrected and this gave almost all iOS device (iPod touch, iPhone and iPad) owners a simple way to jailbreak their hardware. The site does this by making use of a zero-day vulnerability in the mobile Safari browser related to the way it handles PDF documents. In this instance the vulnerability is being used to jailbreak the device, but there is nothing preventing hackers from reverse-engineering the hack, loading it into any PDF file and using it to do something far more nefarious.
‘Comex,’ the creator of the JailbreakMe.com website seems to be well aware of the fact that this vulnerability could be used to do bad things:
“I did not create the vulnerabilities, only discover them. Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run.”
On top of that, the jailbreak community has made a patch available to those running jailbroken devices. This means that the minority who jailbreak their devices are offered protection from this vulnerability, while millions who don’t jailbreak are left waiting on Apple for a fix.
So, if you’re not up to jailbreaking, what should you do? Here’s what security firm Intego suggests:
Apple should release a security update to iOS in the near future to deal with this vulnerability. In the meantime, users are advised to avoid downloading or viewing PDF files from untrusted sources on their iOS devices.
Take care out there!
[UPDATE: As pointed out to me by Sean Sullivan via the F-Secure Labs Twitter account, the PDF vulnerability exists for the 2nd generation iPod touch too, and since this device is no longer supported by Apple, these users will never see a fix from Apple.]
[UPDATE 2: Apple spokesperson Bethan Lloyd said that the company is "aware of this reported issue and developing a fix that will be available to customers in an upcoming software update."]
