The recently launched JailBreakMe website allows users to easily crack a variety of mobile Apple devices. However, the drive-by patch has also sparked serious concern amongst numerous security researchers.
For example, Graham Cluely of Sophos warns that JailBreakMe is not just a headache for Apple, but likely portends future attacks by malicious elements.
“Previously, jailbreaking has required users to connect their device to a computer before they can start to tamper with the set-up of their iPhone or iPad and gain access to the Cydia underground app store.
“The drive-by jailbreak is possible because the website exploits a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts.”
“[So], if simply visiting a website with your iPhone can cause it to be jailbroken – just imagine what else could hackers do by exploiting this vulnerability?
“[Clearly], Cybercriminals would be able to create booby-trapped webpages that could – if visited by an unsuspecting iPhone, iPod Touch or iPad owner – run code on visiting devices without the user’s permission.”
Meanwhile, the German government has issued an official warning over “two critical weak [iOS] points for which no patch exists.”
According to the Federal Office for Information Security, a manipulated website or PDF file could allow cybercriminals to spy on passwords, planners and emails.
As such, the Office recommends users avoid opening untrusted PDF files and websites.
