Jailbreakme.com flaw not a PDF vulnerability

Broken iPhone courtesy of thetechbuzz's Flickr photostream

Broken iPhone courtesy of thetechbuzz's Flickr photostream

There has been a lot of speculation as to how the jailbreakme.com website exploits a flaw in the Safari browser to enable “one-swipe” jailbreaking. I have read many stories that make the accusation that this is a flaw in the Adobe PDF specifications and that the PDF used on this site will cause Adobe Reader and Acrobat to crash. Sophos has published an identity for these PDFs as Troj/PDFEx-DT.

Fortunately this issue seems to be specific to Apple’s rendering of PDFs on their mobile platform. Adobe’s Brad Arkin wrote about the issue on their ASSET blog this afternoon. Brad summarizes his post by saying “All of our analysis to date indicates that the vulnerability used in the iPhone jailbreak does not impact Adobe Reader or Acrobat.”

The good news is that Adobe should be releasing an update soon that implements the sandboxing I wrote about 2 weeks ago and therefore won’t need to react to this report. The bad news is that another zero-day flaw in Adobe’s Reader and Acrobat products was disclosed by Charlie Miller at last week’s Black Hat conference in Las Vegas. Hopefully fixing the flaw demonstrated by Charlie will not delay the security-enhanced release Adobe is planning.

Apple has acknowledged the flaw in iOS, although they used careful wordsmithing to avoid calling it a flaw. Cnet news reported an Apple spokesperson as saying, “We’re aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update.” Issue? How about bug, problem, or vulnerability? Hopefully an “upcoming software update” means “real soon now” in plainspeak.

Charlie Miller has a history of showing off flaws in the PDF format, Apple’s Safari web browser and Preview document viewer. At this year’s CanSecWest conference here in Vancouver he presented “Babysitting an army of monkeys: an analysis of fuzzing 4 products with 5 lines of Python” in which he showed that simply by dumb fuzzing he could find a large number of unpatched flaws in Preview.

This is the first remote exploit against an iPhone that has not required the phone to be jailbroken. I suppose there is a bit of irony in this, seeing as how the flaw has only been seen in the wild to enable you to jailbreak your phone…

To date, Apple’s security approach has only involved controlling applications in their store so they can provide a safe environment, but this incident could bring the perception of Apple as a virus-free platform to an end. If Apple does not design security into the platform, this incident may only be the tip of the proverbial iceberg.

Update:Adobe has announced they will be pushing out an out-of-band emergency update to patch the vulnerability Charlie Miller demonstrated at Black Hat. The font parsing vulnerability will be fixed the week of August 16th, 2010. Subscribe to my blog or @chetwisniewski on Twitter for further updates.

Creative Commons image courtesy of thetechbuzz’s Flickr photostream.