iPhone hacked with zero-day font vulnerability

iPhone hacked with zero-day font vulnerability

Summary: Apple's newest iPhone devices have been hacked with a zero-day font vulnerability in the latest iteration of the JailbreakMe.com project.

SHARE:
29

Apple's newest iPhone devices have been hacked with a zero-day font vulnerability in the latest iteration of the JailbreakMe.com project.

The JailbreakMe.com exploit allows the automated jailbreaking of iPhone/iPad/iPod Touch devices from a specially created Web site.

It is essentially a drive-by download attack that exploits the way Apple’s mobile operating system processes certain fonts.  Technical details of the vulnerability are not yet know.

It is likely being combined with a second privilege escalation bug to escape the iOS sandbox, much like the first version of the jailbreak exploit.   According to "Comex," the hacker behind the site, the exploit defeats ASLR (Address Space Layout Randomization), a key anti-exploit mechanism.

Along with the jailbreak exploit, "Comex" also released a patch for the main vulnerability.

"Due to the nature of iOS, this patch can only be installed on a jailbroken device.   Until Apple releases an update, jailbreaking will ironically be the best way to remain secure," he explained.

On the issue of releasing exploit for zero-day flaws, here's a note from the site's FAQ:

I did not create the vulnerabilities, only discover them.  Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable.  Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run.

Topics: iPhone, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • RE: iPhone hacked with zero-day font vulnerability

    Sweet!<br>Gotta luv them bugs!!! Worked great on my iPad2! <img border="0" src="http://www.cnet.com/i/mb/emoticons/grin.gif" alt="grin">
    rhonin
    • RE: iPhone hacked with zero-day font vulnerability

      @rhonin the good thing about my <a href="http://www.android-tablet.org/android/will-google-android-growth-in-europe-bring-cheaper-tablets/">android tablet</a> is that I don't even need to hack it!
      Jeffrey1980
  • Lies, lies, lies

    Only Microsoft Windows can be hacked.
    Raid6
    • RE: iPhone hacked with zero-day font vulnerability

      @Raid6
      What?!? No [b]BOLD[/b]? No [i]ITALICS[/i]? No [u]UNDERLINE[/u]?

      rotflmao :D
      rhonin
    • RE: iPhone hacked with zero-day font vulnerability

      @Raid6 Erm, sorry, Windows can't be hacked, only exploited and manipulated. Hacking has lost all meaning by the excessive over use of the word.
      PirateEggs
    • RE: iPhone hacked with zero-day font vulnerability

      @Raid6 go fuck yourself
      PrincessMilissa
    • RE: iPhone hacked with zero-day font vulnerability

      @Raid6 Huh-uh.
      skippe93
    • RE: iPhone hacked with zero-day font vulnerability

      @Raid6<br>< /sarc > ...
      Z3R0D4Y
  • RE: iPhone hacked with zero-day font vulnerability

    But the iDeity (Mr. Jobs) has said his majestically ordained products just work. Don't start the heretical idea that they can be turned to the dark side or iRetribution will ensue.
    Agnostic_OS
  • RE: iPhone hacked with zero-day font vulnerability

    "iPhone devices have been hacked with a zero-day font vulnerability" would that be a malformed letter i ?
    Just wondering...
    Agnostic_OS
    • RE: iPhone hacked with zero-day font vulnerability

      @Agnostic_OS
      p-p-p-possibly......
      rhonin
  • RE: iPhone hacked with zero-day font vulnerability

    Rock on jailbreakers!
    Imrhien
  • RE: iPhone hacked with zero-day font vulnerability

    That's interesting considering apple just made their beta program http://adf.ly/20MVU open to the public.
    jen364
    • RE: iPhone hacked with zero-day font vulnerability

      @jen364

      Spam ^^^???
      DeusXMachina
  • RE: iPhone hacked with zero-day font vulnerability

    No thanks, I'm good using redsn0w to jailbreak.
    athynz
  • RE: iPhone hacked with zero-day font vulnerability

    I rejoice!
    The Douginator
  • And it makes me wonder...

    Why, when someone is talking iPhone marketshare and they want to inflate the #'s, iOS is discussed? (which includes iPods and iPads)

    Yet, when a vulnerability is brought up, only iPhone is mentioned? [i]"Apple?s newest iPhone devices have been hacked with a zero-day font vulnerability..." [/i]

    Ryan, I'm sorry, but iOS is iOS iOS. If the idiot fanbois get to include iPods and iPads when it supports their argument, then iPods and iPads have to be included when the topic is bad news as well. (please note, i'm not including you in the 'idiot fanboi' group)

    Also, it's funny how everytime an article gets written about consumerization of IT (like we saw yesterday with the TouchPad vs Playbook vs iPad in enterprise), and enterprise catering to the user's wants rather than needs... we see an article like this pop up. It gives credit to the necessary rules that everyone hates that enterprise is forced to apply upon it's users (it is, after all, the company's network)

    Hey, I hate having my internet filtered, but I know what havoc can be brought on by relaxing the rules, so I don't worry about whether I'm popular or if someone can't spend their workday on the web looking at crap they're not supposed to.
    UrNotPayingAttention
    • RE: iPhone hacked with zero-day font vulnerability

      @chmod 777 <br><br>My users biatch about the proxy server and how they can't go to any site they want, I say too bad, security trumps your personal surfing time everytime. The good news is I have a director that supports the proxy 100% and I won't allow iPads, iPhones into our department as a work device because the security controls just don't exist.
      hopp64
      • RE: iPhone hacked with zero-day font vulnerability

        @hopp64

        I suggest hiring REAL IT people. Let me guess, you do allow Android ?
        Tiredofdumbasses
    • RE: iPhone hacked with zero-day font vulnerability

      @chmod 777 You're not wrong, but 'IOS doesn't sell papers'. 'iPhone Hacked' got me to click on this link and RT it.
      FarVision