Security flaw in Apple iPhones gives hackers control

 

Gallery

By Stewart Mitchell and Reuters

Posted on 4 Aug 2010 at 08:23

The same flaw used to jailbreak Apple's iPhone and iPad could allow hackers to enslave the mobile devices, according to security firms.

The PDF flaw affects Apple's iOS, which also runs the iPod Touch, and could allow hackers to take complete control of a vulnerable device.

“Two vulnerabilities have been identified in Apple iOS for iPhone, iPad and iPod, which could be exploited by remote attackers to take complete control of a vulnerable device,” said McAfee's David Marcus on the company's blog.

“The first issue is caused by a memory corruption error when processing Compact Font Format (CFF) data within a PDF document, which could be exploited by attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page using Mobile Safari," he said.

“The second vulnerability is caused by an error in the kernel, which could allow attackers to gain elevated privileges and bypass sandbox restrictions.”

According to McAfee's Marcus, these flaws were the same ones used by Jailbreakme to remotely jailbreak Apple devices.

Mobile flaws

The vulnerability in Apple's iOS is the latest in a series of security bugs identified in mobile devices over the past week.

Security experts at a hacking conference last week pointed out several vulnerabilities in Google's operating system for mobile phones and tablet PCs.

"We shouldn't be surprised to see security bugs happen in very complex software," said Kevin Mahaffey, chief technology officer for mobile security firm Lookout.

Mahaffey said he was not aware of any incidents in which criminals had exploited the bug to gain control of an Apple device, but said the electronics maker has yet to offer a remedy to protect against such attacks.

"Everybody - both good and bad - knows how it works," he said.

Apple said the company was aware of the report and was investigating.