Apple to patch, PDF font exploit in upcoming software update


I think we all generally assumed this, but it's nice to see Apple going on record as saying they'll patch the PDF font exploit that currently allows -- and potentially any malicious hacker out there -- to run code on an iPhone with just the tap of a web button. CNET scored the quote from an Apple spokeswoman:

"We're aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update."

That might not be great news for Jailbreakers in the waiting, but this is a really bad security vulnerability and Jailbreak or no Jailbreak, Apple needs to fix it as soon as possible. Apple of course currently only provides updates in the form of complete firmware re-writes, which means we're likely going to have to wait for an iOS 4.0.2 (and hopefully a proximity sensor fix), or iOS 4.1 this fall when Apple introduces iPod touch 4.

If they could somehow work out a way to patch iOS, especially OTA, without having to wait until an entirely new firmware is ready it would go a long way towards speeding up their security response time for situations such as this.


Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, Review, The TV Show, Vector, ZEN & TECH, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

Clear iSpot brings 4G WiMax to iOS for $29/month

Next up →

Macally Bookstand case for iPad - accessory review

There are 26 comments. Add yours.

Woodman500 says:

Good. God only knows what could have happened.

ghostface147 says:

Excellent news. I don't mind a JB of any device, but I don't like how this one works.

kingweb says:

Hopefully it won't take too long to JB ios 4.1.
No upgrade for me until their is a JB.

t0m says:

My friend was amazed when I jailbroke his phone sitting in a bar watching the Yankee game. Told him that part was free, but changing his SSH password would be $50 ;)

jakej914 says:

It depends on what else Apple fixes. If they fix the proximity sensor sensitivity issue, then I'll gladly lose my jailbreak for now. But if not, I'll wait as well.
If you went ahead with the jailbreak, you can prevent iOS from automatically loading PDFs :)

Xgm says:

Just download the PDF warner from Cydia. Your phone will be more safe jailbroken than not.

iPad Case says:

Very disappointed about this. I'm sure the developers will find a way around it though.

sting7k says:

"If they could somehow work out a way to patch iOS", oh this makes me lol. They can't even patch iTunes or Safari yet how are they going to possibly patch a whole OS? A 350MB download makes perfect sense to fix one little bug.

OrionAntares#CB says:

"If they could somehow work out a way to patch iOS, especially OTA, without having to wait until an entirely new firmware is ready it would go a long way towards speeding up their security response time for situations such as this."
I bet they could publish a PDF link to do an OTA update! :P

kingweb says:

I don't have any issues with the proximity sensor, I guess it isn't every phone. Even if I did have the issue, I would opt for the JB. I would have never bought an iphone if I couldn't JB. Such basic stuff that has been available for years on other 1G phones is crippled/disabled by the Apple dictatorship.
I got the Cydia warning program for the PDF exploit. It is good enough for me.

Jt says:

I like how apple will make this "available" to us.

SciTeach3 says:

As much as I love Apple and my iPhone, the fact that they are soooooooo rigid as to not patch a security issue like this until it fits their schedule really annoys me. This is horrible customer service and that saddens me.

iMore-On says:

I love that easy jailbreak

VplusP says:

No Jailbreak. No update.

Jake Hilborn says:

Looks like Apple already patched my Evo, doesn't work on my Evo :'(

scott says:

I am becoming alittle alarmed by how may times Apple seems to be getting caught flatfooted by these things. First, the "death grip / touch / finger" mess, now this. And as with the first, no hurry to fix it. Do we REALLY need someone on CNN complaining that their phone was hacked?? Are we going to be exposed to more Apple videos showing that other phones has the same problem?? This really is starting to look like a product that was not ready, but released anyway. Look at the past examples....things dropped from phones / pods at the last minute for some minor problem, or Jobs did not like it. They KNEW about the grip issue, hence the ready made bumpers, and now a security threat. VERY un-Apple. Was it because HTC was breathing down their necks with their new phones every 10 days?? Apple can deny all they want, but their "body language" is giving them away.

jwriherd says:

People need to relax. Every device is vulnerable to some type of attack. This is just ONE exploit they used...there are others. If someone wants to hack your phone then try will. An like said above, dl the PDF Warner from cydia and it's safer than before the jb. I like how simple everyone thinks it is to just patch a security flaw that is so damaging. It takes time if it's so big and scary like you think it is. One letter off in a thousand line C++ code or whatever renders it useless.

VAGitarian says:

How many exploits are in Windows XP? How many bugs are there in a typical game from the AppStore or on Xbox? The problem I've been seeing is people developing half a$$ programs with the intent that they can always patch it down the road. Get it right the first time.

Jeff says:

@VAG, I agree my XP runs like crap thanks to the 300 updates it pushed out

(Copy of) Dev says:

This type of security hole deserves its own release as soon as it is ready. It is a sad commentary on Apple's priorities that they would rush a point release just to block Palm Pre music sync but cannot do so for a demonstrated critical security hole in the wild.

t0m says:

Most people that are "terrified" of the exploit are people that don't understand how these things work. Then again, those are the people that should be most afraid because they are the most likely to clink the "Free iPhone 4" link.
They are also the people that think the death-grip is really causing them to drop calls.

Parking Jerk says:

On the subject of the recent method of jailbreaking, this was the same way I JB'ed my iPod Touch 1G. You went to (or something like that) and it did it all for you. Maybe it wasn't a PDF exploit but it's the 2nd time we've been able to use the Safari browser to JB our devices.
As for a proximity sensor issue, I haven't noticed any problem with mine yet and I've been using the phone all the time (Who knew the iPhone made calls?). Is it a US only thing that they fixed when they rolled out the International devices?

Robert penn warren says:

Apple did a great job in security of their products. Protectionism is a core element of the iPhone's success, in Apple's view -- but ultimately, this might come out as a decision that's difficult to defend, as it’s legal to jailbreak like you have done for you iphone 4, tutorial like this “Jailbreak/unlock iPhone 3GS for iOS 4 on Mac”, posted in ifunia iphone column.

Free Business Cards says:

I'm having a problem with font sizes on some of my ebooks. When I convert the pdf with pdflrf, the font size is tiny. The pdf has images in it that I need for reference, so I cant use the built in converter with libprs500 since it strips the images. I need the font size set to 11 or 12 so I can read it easily, vs the 4 or 5 it's showing up at. Does pdflrf have options for font resizing? Does anyone know a way I can do this? I'm currently running Linux, but I can find a Windows machine to do the convert on if I need to since I only need images on a few rare pdf's