14 DAY TRIAL // Apple has released iOS 4.3.4 and 4.2.9 to address several security vulnerabilities including one that has been publicly known for ten days and allows attackers to infect devices with malware.
The vulnerability became known when JailbreakMe 3.0 was released on July 5. JailbreakMe is a popular method of removing limitations imposed by Apple on iDevices and only requires users to visit a website.
Following the release, security researchers expressed concern that malicious attackers might reverse-engineer the exploit and adapt it to infect people with malware.
Fortunately, this hasn't happened, but a ten-day response time to a publicly known remote code execution vulnerability is not something Apple can be proud of.
The vulnerability was located in the third-party FreeType library that handles font rendering. It could have been exploited by tricking users into opening specially-crafted PDF files.
Two FreeType vulnerabilities were actually patched in these iOS updates, CVE-2010-3855 and CVE-2011-0226, both of them similar.
"Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution," Apple warns in its advisory.
A third privilege escalation vulnerability (CVE-2011-0227) was fixed in the IOMobileFrameBuffer component. "An invalid type conversion issue exists in the use of IOMobileFrameBuffer queueing primitives, which may allow malicious code running as the user to gain system privileges," Apple notes.
Before Apple released its patch, comex, the JailbreakMe creator released one through Cydia, the unofficial app store used by jailbroken devices. Unfortunately, the fix was not available to users who didn't want to mess with their devices.
Comex acknowledged the risks of the vulnerability exploited in his jailbreak, but said that they are only theoretical. Despite similar vulnerabilities being disclosed in the past, there has been no large scale drive-by download attack targeting iOS users to date.