14 DAY TRIAL // JailbreakMe, Comex’s iOS hack that exploits a PDF vulnerability to run unauthorized code on iPhones and iPads, could pose serious security threats, according to Graham Cluley, senior technology consultant at Sophos. However, the hole can be easily closed by users with a quick visit to the right place on Cydia.
As always, Mr. Cluley offers his pertinent opinion noting that “if visiting the JailBreakMe website with Safari can cause a security vulnerability to run the site's code, just imagine how someone with more nefarious intentions could also abuse the vulnerability to install malicious code on your iPad or iPhone."
Cluley says the ball is now in Apple’s court. However, while it is Apple’s responsibility to close such holes, there is already a patch that allows users to jailbreak and stay on the safe side.
After jailbreaking, users can launch Cydia and download PDF Patcher 2 (also authored Comex).
After installation, whenever a website tries to open a PDF on the user’s device, an alert will pop up asking if they really want to continue.
Comex himself admits that his PDF vulnerability can be used by people with bad intentions:
"I did not create the vulnerabilities, only discover them. Releasing an exploit demonstrates the flaw, making it easier for others to use it for malice, but they have long been present and exploitable,” he said.
“Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run," Comex believes.
Indeed, it is still Apple who ultimately has to close these holes, even if it means closing the holes that allowed Comex’s jailbreak in the first place.
That’s no problem for the hacker, though. History has shown that he is always capable of finding new ones, keeping the cat-and-mouse game going.
And he’s not alone. He has an entire Dev Team at his side to help with finding new vulnerabilities, and there are other hacking teams out there with the same goal.