Malicious PDF Files To Exploit iPhone & iPad Zero Day In The Wild

Use Netsparker


Well everyone has been waiting for a Jailbreak for the iPad 2 with the latest version of iOS – it happened and only hours later the malformed PDF files that were used in the exploit were circulating the Internet.

It’s not the first time this has happened, last time jailbreakme did the same thing back in August 2010 – Dangerous iPhone iOS JailBreak Exploit Goes Public.

The exploit is quite a nasty one, and the irony is this time – only users that have applied the Jailbreak then the additional ‘PDF Patcher 2’ software (from Cydia) are safe from this. Users running the vanilla version of iOS are actually at risk.

Hours after developers revealed they had exploited bugs in Apple’s iOS to “jailbreak” iPhones and iPads, German government security authorities warned that one of the flaws could be put to malicious use.

Malformed files that exploit the vulnerability have been publicly posted on the Internet. Late Wednesday, Germany’s Federal Office for Information Security, known by its German-language initials of BSI for “Bundesamt fuer Sicherheit in der Informationstechnik,” warned citizens that the iOS bug could be used by criminals to hijack iPhones, iPads and iPod Touches.

“Even clicking a crafted PDF document or surfing to a website with the PDF documents are sufficient to infect the mobile device with malicious software,” the BSI said in a translation of the German-language alert .

PDF files that successfully exploit the vulnerability are available on the Web, according to Mikko Hypponen, chief research officer of Helsinki-based antivirus company F-Secure. And those PDFs could be used by miscreants to hack iOS devices simply by luring users to malicious sites, said Andrew Storms, director of security operations at nCircle Security.

iPhone and iPad users steered to a malicious PDF — via a link embedded in an email, for instance — would not receive any warning or be required to take additional action.

I hope Apple gets their act together and pushes out the patch for this ASAP as I foresee some kind of iPhone/iPad targeted worm coming out of this fairly shortly.

It took them 10 days to patch a similar pair of exploits back in August 2010 so we should be expecting a patch by the end of this week (mid-July sometime).

The worrying part when it comes to business/agencies/government etc – is that these exploits could be used to target specific individuals of importance. All you need to know is the e-mail address they access on their iPhone/iPad and do a bit of social engineering and you’re in.


The BSI warning came just hours after a group of developers released an updated version of JailbreakMe, a tool that hacks iOS so iPhone and iPad users can install software not sanctioned by Apple.

Those developers exploited a pair of vulnerabilities, including one in the font parsing of the PDF viewer integrated with the iOS version of Safari, and another that bypassed anti-malware defenses such as ASLR (address space layout randomization). Wednesday, security experts said that the same vulnerabilities, particularly the one exploitable through malicious PDF files, could be used by criminals to hijack Apple’s popular iPhone and iPad.

“They’re certainly a threat, and would be easy to make malicious,” said Charlie Miller, a noted Mac OS X and iOS vulnerability researcher who works for Denver-based Accuvant.

Miller also speculated that Apple would quickly patch the vulnerabilities, perhaps even faster than last year when it faced a similar situation. In August 2010, Apple patched a pair of bugs used by JailbreakMe 2.0 just 10 days after the tool’s release. News of JailbreakMe 3.0’s impending release had leaked several days before Wednesday’s official launch, noted Miller, and should have given Apple even more warning.

Yesterday’s BSI alert was similar to one it issued last August after JailbreakMe 2.0 appeared.On Thursday, Apple said it would fix the flaws.

Of course the ‘developer’ version of iOS 5.0 is already out and I guess someone people are using this, most iPhone/iPad users have been waiting for that major update – but I’m guessing Apple will have to push a patch out for this before the 5.x major release.

There’s another interesting and relevant article on this topic here:

The problem with doing – and not doing – an iPhone jailbreak

It’ll be interesting to see what comes of this and if any kind of iPhone/iPad chaos is going to occur due to these exploits.

Source: Network World

Posted in: Apple, Exploits/Vulnerabilities

, , , , , , ,


Latest Posts:


CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.
MyEtherWallet DNS Hack Causes 17 Million USD User Loss MyEtherWallet DNS Hack Causes 17 Million USD User Loss
Big news in the crypto scene this week was that the MyEtherWallet DNS Hack that occured managed to collect about $17 Million USD worth of Ethereum in just a few hours.


Comments are closed.