14 DAY TRIAL // Jay Freeman, the developer of the Cydia package manager used by jailbroken iPhones, iPads and iPods Touch, has released an unofficial patch for the iOS PDF vulnerability, allowing users to keep their devices unlocked.
Yesterday Apple released iOS 4.0.2 for iPhone 4, 3G, 3GS and iPod Touch 2nd and 3rd generation, as well as iOS 3.2.2 for iPad, in order to patch two vulnerabilities used to jailbreak these devices.
One of the flaws (CVE-2010-1797) was located in iOS' native PDF reader component, or more specifically in code borrowed by Apple from the FreeType open source font library.
This bug is also regarded as the most dangerous of the two, because it can potentially be used to infect users with malware by tricking them into visiting an infected website; or a legitimate one that has been compromised.
Such attacks are known as drive-by downloads and are commonly used to target Windows users through vulnerabilities in popular software like Adobe Reader, Flash Player or Java.
Because of this security risk, various antivirus experts and vendors are currently strongly encouraging iPhone, iPad and iPod Touch owners to install the latest iOS updates.
However, this poses several problems. For one, the operation will un-jailbreak devices and some users would like to keep them like that.
Then, Apple has not released similar updates for the first generation of iPhones, which are also vulnerable and are still being used by a significant number of people.
In order to solve these issues, Jay Freeman, better known online as "saurik", has created a custom patch and released it through the Cydia Store, a site from where users can apps for jailbroken devices.
The patch only protects against the PDF exploit and according to Freeman, was "tested on [iOS] 2.2-4.0.1 on a bunch of devices."
Another alternative for users who don't want to un-jailbreak their devices is to install an application called PDF Loading Warner, which is also distributed through Cydia Store.
The app displays a warning before opening any PDF document, thus giving users a chance to block any unauthorized attempts to launch PDFs.
You can follow the editor on Twitter @lconstantin
