Apple to patch, PDF font exploit in upcoming software update

I think we all generally assumed this, but it's nice to see Apple going on record as saying they'll patch the PDF font exploit that currently allows -- and potentially any malicious hacker out there -- to run code on an iPhone with just the tap of a web button. CNET scored the quote from an Apple spokeswoman:

"We're aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update."

That might not be great news for Jailbreakers in the waiting, but this is a really bad security vulnerability and Jailbreak or no Jailbreak, Apple needs to fix it as soon as possible. Apple of course currently only provides updates in the form of complete firmware re-writes, which means we're likely going to have to wait for an iOS 4.0.2 (and hopefully a proximity sensor fix), or iOS 4.1 this fall when Apple introduces iPod touch 4.

If they could somehow work out a way to patch iOS, especially OTA, without having to wait until an entirely new firmware is ready it would go a long way towards speeding up their security response time for situations such as this.


Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Good. God only knows what could have happened.
  • Excellent news. I don't mind a JB of any device, but I don't like how this one works.
  • Hopefully it won't take too long to JB ios 4.1.
    No upgrade for me until their is a JB.
  • My friend was amazed when I jailbroke his phone sitting in a bar watching the Yankee game. Told him that part was free, but changing his SSH password would be $50 ;)
  • @George
    It depends on what else Apple fixes. If they fix the proximity sensor sensitivity issue, then I'll gladly lose my jailbreak for now. But if not, I'll wait as well.
    If you went ahead with the jailbreak, you can prevent iOS from automatically loading PDFs :)
  • Just download the PDF warner from Cydia. Your phone will be more safe jailbroken than not.
  • Very disappointed about this. I'm sure the developers will find a way around it though.
  • "If they could somehow work out a way to patch iOS", oh this makes me lol. They can't even patch iTunes or Safari yet how are they going to possibly patch a whole OS? A 350MB download makes perfect sense to fix one little bug.
  • "If they could somehow work out a way to patch iOS, especially OTA, without having to wait until an entirely new firmware is ready it would go a long way towards speeding up their security response time for situations such as this."
    I bet they could publish a PDF link to do an OTA update! :P
  • @Jake,
    I don't have any issues with the proximity sensor, I guess it isn't every phone. Even if I did have the issue, I would opt for the JB. I would have never bought an iphone if I couldn't JB. Such basic stuff that has been available for years on other 1G phones is crippled/disabled by the Apple dictatorship.
    I got the Cydia warning program for the PDF exploit. It is good enough for me.
  • I like how apple will make this "available" to us.
  • As much as I love Apple and my iPhone, the fact that they are soooooooo rigid as to not patch a security issue like this until it fits their schedule really annoys me. This is horrible customer service and that saddens me.
  • I love that easy jailbreak
  • No Jailbreak. No update.
  • Looks like Apple already patched my Evo, doesn't work on my Evo :'(
  • I am becoming alittle alarmed by how may times Apple seems to be getting caught flatfooted by these things. First, the "death grip / touch / finger" mess, now this. And as with the first, no hurry to fix it. Do we REALLY need someone on CNN complaining that their phone was hacked?? Are we going to be exposed to more Apple videos showing that other phones has the same problem?? This really is starting to look like a product that was not ready, but released anyway. Look at the past examples....things dropped from phones / pods at the last minute for some minor problem, or Jobs did not like it. They KNEW about the grip issue, hence the ready made bumpers, and now a security threat. VERY un-Apple. Was it because HTC was breathing down their necks with their new phones every 10 days?? Apple can deny all they want, but their "body language" is giving them away.
  • People need to relax. Every device is vulnerable to some type of attack. This is just ONE exploit they used...there are others. If someone wants to hack your phone then try will. An like said above, dl the PDF Warner from cydia and it's safer than before the jb. I like how simple everyone thinks it is to just patch a security flaw that is so damaging. It takes time if it's so big and scary like you think it is. One letter off in a thousand line C++ code or whatever renders it useless.
  • How many exploits are in Windows XP? How many bugs are there in a typical game from the AppStore or on Xbox? The problem I've been seeing is people developing half a$$ programs with the intent that they can always patch it down the road. Get it right the first time.
  • @VAG, I agree my XP runs like crap thanks to the 300 updates it pushed out
  • This type of security hole deserves its own release as soon as it is ready. It is a sad commentary on Apple's priorities that they would rush a point release just to block Palm Pre music sync but cannot do so for a demonstrated critical security hole in the wild.
  • Most people that are "terrified" of the exploit are people that don't understand how these things work. Then again, those are the people that should be most afraid because they are the most likely to clink the "Free iPhone 4" link.
    They are also the people that think the death-grip is really causing them to drop calls.
  • On the subject of the recent method of jailbreaking, this was the same way I JB'ed my iPod Touch 1G. You went to (or something like that) and it did it all for you. Maybe it wasn't a PDF exploit but it's the 2nd time we've been able to use the Safari browser to JB our devices.
    As for a proximity sensor issue, I haven't noticed any problem with mine yet and I've been using the phone all the time (Who knew the iPhone made calls?). Is it a US only thing that they fixed when they rolled out the International devices?
  • How To [FIX] Invalid SIM Problem
  • Apple did a great job in security of their products. Protectionism is a core element of the iPhone's success, in Apple's view -- but ultimately, this might come out as a decision that's difficult to defend, as it’s legal to jailbreak like you have done for you iphone 4, tutorial like this “Jailbreak/unlock iPhone 3GS for iOS 4 on Mac”, posted in ifunia iphone column.
  • I'm having a problem with font sizes on some of my ebooks. When I convert the pdf with pdflrf, the font size is tiny. The pdf has images in it that I need for reference, so I cant use the built in converter with libprs500 since it strips the images. I need the font size set to 11 or 12 so I can read it easily, vs the 4 or 5 it's showing up at. Does pdflrf have options for font resizing? Does anyone know a way I can do this? I'm currently running Linux, but I can find a Windows machine to do the convert on if I need to since I only need images on a few rare pdf's
  • Boooo! Not cool Apple!!!