Apple releases iOS 4.3.4 to address PDF security hole

Posted:
in iPhone edited January 2014
Apple on Friday released an update to its iOS mobile operating system for the iPhone, iPad and iPod touch, addressing a potentially dangerous security flaw related to viewing PDF files in the Mobile Safari Web browser.



iOS 4.3.4 can be downloaded and installed to any currently supported iOS-based devices by connecting to iTunes and choosing to update. Apple has characterized the latest software as a security update, and does not contain any new features or fixes.



The update is available for the GSM iPhone 4, iPhone 3GS, iPad 2, iPad, and third- and fourth-generation iPod touch. Another firmware, iOS 4.2.9, is also available for the CDMA iPhone 4 for Verizon users.



The update comes just over a week after Apple announced it would release a fix for the security flaw, and less than 10 days after the issue was given widespread attention.



The update plugs a hole that could allow a hacker to utilize a maliciously crafted PDF file to gain access to a user's system. Visiting a site with this exploit could lead to unexpected application termination or arbitrary code execution.



Apple said this is because a buffer overflow exists in FreeType's handling of TrueType fonts, and a signedness issue exists in FreeType's handling of Type 1 fonts.



The update also reportedly contains a patch for iOS's IOMobileFrameBuffer. Apple said the new software addresses an invalid type conversion issue, which could allow malicious code running as the user to gain system privileges.







The PDF exploit became known last week, after hackers utilized it to offer a browser-based "jailbreak" of iOS devices. "Jailbreak" is the term used to describe exploiting flaws in iOS code to allow users to run software that is not approved by Apple.



While those behind the jailbreakme.com site did not create it with malicious intent, it's possible that a more nefarious hacker could release an exploit that, when visited by a user, could allow unsigned code to be run on an iPhone or iPad without the user's permission or even knowledge.
«13

Comments

  • Reply 1 of 60
    Edit: nevermind they have an update for CDMA users too. I'm gonna download it real quick
  • Reply 2 of 60
    swiftswift Posts: 436member
    Thank God one of the advertised "features" of the Google phones is that you can root them!



    Wait a minute. If you can root them, can't somebody else, for less "it's my phone!' motives? Or, wait, somebody sending you a malicious pdf can make it HIS phone.



    It's always seemed a strange, quixotic belief, those who buy phones to jailbreak them.
  • Reply 3 of 60
    diddydiddy Posts: 282member
    Quote:
    Originally Posted by Darkstar2007 View Post


    Looks like your still SOL if you have the CDMA version....



    No, there is an update 4.2.9 for CDMA phones.
  • Reply 4 of 60
    cloudgazercloudgazer Posts: 2,161member
    Quote:
    Originally Posted by Swift View Post


    Thank God one of the advertised "features" of the Google phones is that you can root them!



    Wait a minute. If you can root them, can't somebody else, for less "it's my phone!' motives? Or, wait, somebody sending you a malicious pdf can make it HIS phone.



    It's always seemed a strange, quixotic belief, those who buy phones to jailbreak them.



    Well there's a difference between OS supported rooting that requires an explicit user approval and a hacked rooting that just requires downloading a PDF. The former is a feature, the latter is most definitely a bug.
  • Reply 5 of 60
    tbelltbell Posts: 3,146member
    Well I am sure a few million people, myself included, took advantage of this easy method to update the version number of our software and keep our phones jail broken and unlocked.
  • Reply 6 of 60
    negafoxnegafox Posts: 480member
    Fortunately, nobody has tried to exploit this bug to install malware, or even worse, brick iPhones. A malicious person could have easily done this.
  • Reply 7 of 60
    jonamacjonamac Posts: 384member
    I saw red text, 'Apple releases...' and soiled my pants thinking it was about Lion!
  • Reply 8 of 60
    djames4242djames4242 Posts: 496member
    Quote:
    Originally Posted by Jonamac View Post


    I saw red text, 'Apple releases...' and soiled my pants thinking it was about Lion!



    Yeah, I don't think this was worthy of a 'red' update myself...



    Quote:
    Originally Posted by TBell View Post


    Well I am sure a few million people, myself included, took advantage of this easy method to update the version number of our software and keep our phones jail broken and unlocked.



    I was excited to hear about the flaw. I lost my jailbreak when I upgraded my 3G to a 4G a few months ago. The 3G was super easy to jailbreak in place; the 4G normally requires a full restore to jailbreak. This flaw allowed me to install Cydia in a matter of seconds. Love it!



    FWIW, the only thing I use that requires a Jailbreak is SBSettings. I love being able to disable WiFi (or change brightness settings) with a swipe and a tap. With the 3G it was critical because it was the only way to lock rotation.







    There are tons of plugins for SBSettings allowing instant toggles for Airplane mode, 3G, etc. Plus the process icon allows for easy termination of apps...
  • Reply 9 of 60
    aaronjaaronj Posts: 1,595member
    Quote:
    Originally Posted by Jonamac View Post


    I saw red text, 'Apple releases...' and soiled my pants thinking it was about Lion!



    I don't know about soiling my pants, but I thought it was Lion too.



    This sucks.
  • Reply 10 of 60
    umairumair Posts: 16member
    Don't Plug i-tunes cable .lol
  • Reply 11 of 60
    tmallontmallon Posts: 39member
    this proves that there has been no movement of 4.3.xxx for the CDMA Verizon iphone. Apple could have told verizon there was no fix for 4.2.X and forced them to allow the 4.3.4,
  • Reply 12 of 60
    wizard69wizard69 Posts: 12,666member
    As a long time open source user I value the platforms out there that permit open installation of software. Especially on stuff I want to hack on myself.



    My iPhone has quickly become a critical piece of hardware and I actually appreciat Apples efforts to keep it free of crap wear. Do I want all of the hardware world to go this route - absolutely not! The thing is once you realize that the little guy in your pocket is a money maker you really don't want to screw with it.



    Quote:
    Originally Posted by Swift View Post


    Thank God one of the advertised "features" of the Google phones is that you can root them!



    Wait a minute. If you can root them, can't somebody else, for less "it's my phone!' motives? Or, wait, somebody sending you a malicious pdf can make it HIS phone.



    A very serious problem if you ask me. Android is full of holes and can be exploited anytime.

    Quote:

    It's always seemed a strange, quixotic belief, those who buy phones to jailbreak them.



    Well it can be a great toy. I guess it depends upon how important the phone is to you. I won't jailbreak my carry phone but might jailbreak the iPad if the right reason came around. The unfortunate part about jailbreaking is that many just see it as a way to steal software.
  • Reply 13 of 60
    I love these jailbreak topics - another entertaining day in the dumbing down of Apple's customer base where ignorance is bliss in showing just how obtuse Apple customers have become since the introduction of the iPod -



    Whoa!
  • Reply 14 of 60
    prof. peabodyprof. peabody Posts: 2,860member
    Quote:
    Originally Posted by djames4242 View Post


    ... ...



    Now *that* is ugly.



    Also pretty much useless unless you like tinkering with stuff. The only things I need quick access to are the task list and the brightness and both are provided in iOS with "a swipe and (button) tap."



    People who have to turn their Wi-Fi on and off or their Bluetooth on and off on a phone are "doing it wrong" IMO. The whole point of the phone is that it's all handled automatically and unless you are using the phone for some unusual things most people's phones will run a day or more without a charge already so there isn't really a need to save power.
  • Reply 15 of 60
    gatorguygatorguy Posts: 19,805member
    [QUOTE=wizard69;1901185] Android is full of holes and can be exploited anytime. /QUOTE]



    I've seen no evidence that Android can be easily exploited. Nor that it's "full of holes", whatever that means. Are you referring to security holes? If so, what are they? Anything similar to the PDF or IOMobileFrameBuffer security issues that Apple released a patch for today?



    There's no need to post FUD to make Apple look superior to Android. In many ways it is. Security is not one of those ways IMO.
  • Reply 16 of 60
    jexusjexus Posts: 373member
    [QUOTE=Gatorguy;1901204]
    Quote:
    Originally Posted by wizard69 View Post


    Android is full of holes and can be exploited anytime. /QUOTE]



    I've seen no evidence that Android can be easily exploited. Nor that it's "full of holes", whatever that means. Are you referring to security holes? If so, what are they? Anything similar to the PDF or IOMobileFrameBuffer security issues that Apple released a patch for today?



    There's no need to post FUD to make Apple look superior to Android. In many ways it is. Security is not one of those ways IMO.



    It's no secret that Android has been a target for malware attacks..that one cannot deny. BUT the key is to look in any article that mentions such usually contains an "When Installed" phrase somewhere. Android is not going to be remotely taken from you over a cellular network unless you the user allow it to and give permissions.



    If you are gullible enough to Fall for the random PDF or file gimmick, do yourself a favor and get an Iphone...save yourself the trouble.
  • Reply 17 of 60
    tbelltbell Posts: 3,146member
    Might be ugly, but Apple is incorporating some of this same functionality into iOS 5.



    Quote:
    Originally Posted by Prof. Peabody View Post


    Now *that* is ugly.



    Also pretty much useless unless you like tinkering with stuff. The only things I need quick access to are the task list and the brightness and both are provided in iOS with "a swipe and (button) tap."



    People who have to turn their Wi-Fi on and off or their Bluetooth on and off on a phone are "doing it wrong" IMO. The whole point of the phone is that it's all handled automatically and unless you are using the phone for some unusual things most people's phones will run a day or more without a charge already so there isn't really a need to save power.



  • Reply 18 of 60
    anifananifan Posts: 25member
    I know this sucks for jailbreakers, but thank goodness that .pdf exploit has been fixed.
  • Reply 19 of 60
    mdriftmeyermdriftmeyer Posts: 7,194member
    Quote:
    Originally Posted by TBell View Post


    Might be ugly, but Apple is incorporating some of this same functionality into iOS 5.



    You mean exposing it.
  • Reply 20 of 60
    djames4242djames4242 Posts: 496member
    Quote:
    Originally Posted by Prof. Peabody View Post


    Now *that* is ugly.



    Oh I have to disagree. I don't think it's ugly at all. Besides, this is just one of countless themes (and not the default one either).



    Quote:

    Also pretty much useless unless you like tinkering with stuff. The only things I need quick access to are the task list and the brightness and both are provided in iOS with "a swipe and (button) tap."



    Brightness may be available with a quick swipe and tap on the iPad, but it's not on the iPhone. The process list allows you to also kill persistent apps, like Mail. Not so necessary on the newer phones, but it saved me from a lot of reboots on my 3G where memory was at a premium. It also has a 'free up memory' button that cleans up some heap.



    Quote:

    People who have to turn their Wi-Fi on and off or their Bluetooth on and off on a phone are "doing it wrong" IMO. The whole point of the phone is that it's all handled automatically and unless you are using the phone for some unusual things most people's phones will run a day or more without a charge already so there isn't really a need to save power.



    It's not just a matter of saving power, although I do tend to shut BT down frequently when I know I won't be using it (like when I travel where I may not be as close to power as I normally am, and where I don't have a car with a hands-free kit installed).



    I don't always want to take the time to "accept the agreement" at a Starbucks to quickly check my email while I'm standing in line for coffee. At work our WiFi requires us to sign in to VPN, and I don't always have my token handy. In cases like this, it's easier to just switch over to 3G, and it's much faster to do that using a swipe and tap than it is to dig in to the system preferences panel. Sometimes 3G coverage is spotty, so I switch over to EDGE. As long as it's available with a swipe, I might as well avoid the system preferences panel.
Sign In or Register to comment.