Hackers patch PDF exploit on older, jailbroken iOS devices
Apple has not released a patch for a PDF exploit that affects older iPhones and iPod touches, but ironically hackers who have used the security flaw to "jailbreak" iOS devices have delivered their own fix.
Earlier this week, Apple released iOS 4.0.2 for the iPhone 3G, iPhone 3GS, iPhone 4, and second- and third-generation iPod touch models, addressing a dangerous security flaw that could allow a hacker to take remote control of a device. It also released iOS 3.2.2, packing the same fix the iPad and iPad 3G.
But users of the first-generation iPhone and iPod touch do not have access to an official software update from Apple that will fix the PDF exploit. For them, the latest compatible version of iOS is 3.1.3.
A hacker who goes by the handle "Saurik," who also maintains the alternative storefront Cydia, released a PDF patch this week that addresses the exploit for all devices and all firmware versions, dating back to iOS 2.x.
"Since the only reason for 4.0.2 was to fix the security holes, and since the upcoming Cydia package will fix them too (and then some!), everybody should sit tight on 4.0.1 (or lower) and install the Cydia package as soon as it?s out," the iPhone Dev-Team wrote on its official blog. "Jailbreakers can have their cake and eat it too."
Ironically, those same hackers relied on the very same exploit to create a browser-based jailbreak for iOS devices, including the iPhone and iPad.
Jailbreaking allows users to run software not approved by Apple, which has no plans to allow users to install third-party applications downloaded from outside its sanctioned App Store. Hackers have created their own custom applications -- many free, and some for purchase from an alternative storefront known as Cydia.
Though it can void Apple's product warranty, the process is legal, as the U.S. Library of Congress officially declared last month. The government approved the measure as an exemption to a federal law which prevents the circumvention of technical measures that keep users from accessing and modifying copyrighted works.
Jailbreaking also allows users to pirate App Store software, one reason Apple has been opposed to the practice.
Earlier this week, Apple released iOS 4.0.2 for the iPhone 3G, iPhone 3GS, iPhone 4, and second- and third-generation iPod touch models, addressing a dangerous security flaw that could allow a hacker to take remote control of a device. It also released iOS 3.2.2, packing the same fix the iPad and iPad 3G.
But users of the first-generation iPhone and iPod touch do not have access to an official software update from Apple that will fix the PDF exploit. For them, the latest compatible version of iOS is 3.1.3.
A hacker who goes by the handle "Saurik," who also maintains the alternative storefront Cydia, released a PDF patch this week that addresses the exploit for all devices and all firmware versions, dating back to iOS 2.x.
"Since the only reason for 4.0.2 was to fix the security holes, and since the upcoming Cydia package will fix them too (and then some!), everybody should sit tight on 4.0.1 (or lower) and install the Cydia package as soon as it?s out," the iPhone Dev-Team wrote on its official blog. "Jailbreakers can have their cake and eat it too."
Ironically, those same hackers relied on the very same exploit to create a browser-based jailbreak for iOS devices, including the iPhone and iPad.
Jailbreaking allows users to run software not approved by Apple, which has no plans to allow users to install third-party applications downloaded from outside its sanctioned App Store. Hackers have created their own custom applications -- many free, and some for purchase from an alternative storefront known as Cydia.
Though it can void Apple's product warranty, the process is legal, as the U.S. Library of Congress officially declared last month. The government approved the measure as an exemption to a federal law which prevents the circumvention of technical measures that keep users from accessing and modifying copyrighted works.
Jailbreaking also allows users to pirate App Store software, one reason Apple has been opposed to the practice.
Comments
All they care about is keeping you in that walled garden. And you love it don't you guys??
My only question is, if you're jailbroken and install this patch, and need to restore and rejailbreak your phone, will you have a problem? I guess the answer is no, as long as you manage to restore to 4.0.1.
I just checked, and it's a mobilesubstrate add-on, so it should be gone after a restore, making a re-jailbreak possible.
Goes to show you where Apple's head is at these days. No fix for the antenna, no fix for the proximity sensor, no fix for the 3G that has been hobbled by iOS4. But they couldn't wait to get out a fix to keep you from jailbreaking.
All they care about is keeping you in that walled garden. And you love it don't you guys??
Hello!? It's a serious security flaw for non-jailbreakers. You know the regular people. In fact for everyone. The flaw could be used to do much more serious issue than just jailbreaking. Had Too much anti-Apple koolaid today?
It wasn't fixed to stop jailbreakers. I sure as hell don't want my phone compromised coz of a dirty PDF file.
hey are you guys blind apple has posted a fix for this .
Apple has not issued an update for first generation devices, or an update for those of us with older devices (I'm keeping my iPhone 3G on iOS 3.x) that don't want to upgrade those to iOS 4.x.
Hello!? It's a serious security flaw for non-jailbreakers. You know the regular people. In fact for everyone. The flaw could be used to do much more serious issue than just jailbreaking. Had Too much anti-Apple koolaid today?
It wasn't fixed to stop jailbreakers. I sure as hell don't want my phone compromised coz of a dirty PDF file.
It's not about anti Apple koolaid to expect Apple to be making key fixes a priority. I think that the expectation for Apple to get some of these other issues fixed is legitimate. The antenna has not been an issue for me but it evidently has been for some but the proximity problems are annoying and it would be nice for them to get updates out for those as quickly as they did for the pdf issue. It is also strange that Apple has not yet released a pdf fix for older iphones and they should get that out as soon as possible to.
All they care about is keeping you in that walled garden. And you love it don't you guys??
Maybe you think everything should be free, like the jailbreakers and hackers, but most regular consumers know that the so-called "walled garden" is what allows Steve to do R&D to bring us so many great products.
It's not about anti Apple koolaid to expect Apple to be making key fixes a priority.
Yes. As a person with a hobbled 3G, who cares about the patch when the f-ing phone is such a pain to use?
Yes. As a person with a hobbled 3G, who cares about the patch when the f-ing phone is such a pain to use?
Have you tried a clean install of 4.x, or downgrading your 3G to 3.1.3?
Have you tried a clean install of 4.x, or downgrading your 3G to 3.1.3?
I've tried all the various suggestions except for going back to 3.1.3. I think that's next.
Here are just a FEW of the security holes Apple did not yet patch on first-gen. iPhone & iPod Touch:
http://support.apple.com/kb/HT4225
Heck, Apple even DOCUMENTS that it affects iOS 2.0 through 3.1.3!!! AND, there are a LOT of them!
...But they couldn't wait to get out a fix to keep you from jailbreaking.
...And you love it don't you guys??
It has nothing to do with jailbreaking (although the exploit can be used for that). It does however have to do with fixing a security flaw. I personally rather like security fixes as soon as they are available. Did you ever stop to consider that the other issues are a bit more complex to fix and therefore take longer - or would you really advocate holding this till the other stuff could be fixed sometime later - didn't think so.
As far as loving it - not nearly as much as when you were gone for awhile. Seemed a lot more peaceful then!
Now that iPhone's are ubiquitous, hackers have gone over to the dark side, after getting tired of constantly hacking Windows platforms.
Are we now doing to see weekly or monthly unauthorized hacks of our iPhones, which will keep Apple releasing *.01 fixes, ad nauseum, to keep one step ahead of them.
As those of us who use Windows at work well know - the list of security fixes is well over a hundred or more, and with each fix, the software gets more bloated, and the hardware more constipated.
I would be very discouraged at Apple, if I was a programmer who had to worry about a new fix having to be put out every week or so. Right now, enough folks are accusing Apple of "bloatware" with the 4.0 software being used on older devices, which some think may be released for these devices with total disregard for performance, since this builds in planned obsolescense for older devices (think of how often you had to upgrade your PC's to keep up with the bloatware that was slowing your PC, with Microsoft saying that the reason was all these new features that you just HAD to have - Puleeeze!). Just thinking out loud, and hoping against hope that there is no elephant.
Yes. As a person with a hobbled 3G, who cares about the patch when the f-ing phone is such a pain to use?
I upgraded from a 3G with 4.0 installed to the iPhone 4 and there is a dramatic difference in operability. Of course that is not an option for everyone and I agree that Apple needs to get iOS 4 working properly on the 3G (or allow people an easy way to downgrade to 3.x)