14 DAY TRIAL // The iOS PDF reader vulnerability, which is currently being exploited to jailbreak Apple devices, has a much larger scope than originally thought. It seems that the flaw also affects other software, including the FreeType font rasterization library which is included in other projects.
There's been a lot of media attention lately focused on two zero-day vulnerabilities in iOS, Apple's operating system used in iPhones, iPads and iPods (touch). The bugs came to light after a web-based jailbreaking service called JailbreakMe.com started using them to bypass the security features on the devices.
The first of the two flaws affects iOS' native PDF reader component. However, it seems that it is actually located in code borrowed by Apple from an external open source font engine called FreeType. The problem relies in how the library processes certain Compact Font Format (CFF) character strings and was reported up the chain to its maintainers by Braden Thomas of the Apple Product Security team.
“If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application,” a Red Hat security advisory reads. As is it clear from this description, this might spell trouble for a lot of applications which rely on the FreeType 2 library to support the Compact Font Format.
The first signs of that have already started to appear. Foxit has confirmed and patched the issue in its Foxit Reader product. “Foxit Reader 4.1.1.0805 fixes the crash issue caused by the new iPhone/iPad jailbreak program efficiently and prevents the malicious attacks to your computer,” a security bulletin posted by the company reads.
And if an expert opinion is also needed, VUPEN Security, one of the leading vulnerability research companies in the world tweeted a few hours ago that “Jailbreakme PDF exploit for iPhone also affects FreeType2, Foxit Reader, and probably others.” [emphasis added]
You can follow the editor on Twitter @lconstantin