News

Apple promises to fix critical iOS flaws in iPhone, iPad and iPod – but won't say when

Warwick Ashford

Apple has promised to fix a security flaw in its iOS operating system used by iPhones, iPads and iPod Touch devices that criminals could exploit, but refuses to say when it will release the necessary patches.

The move comes after Germany's Federal Office for Information Security and several independent security researchers highlighted vulnerabilties in iOS version 4.3.3 and possibly other versions, that are used by the latest jailbreaking software.

JailbreakMe 3.0, designed to allow Apple device users to run software other than that dictated by Apple, exploits two separate vulnerabilities, according to security researchers.

One vulnerability circumvents address space layout randomisation (ASLR), an anti-hacking technology that obscures memory block locations. The other weakness exploits a flaw in the font parsing code of iOS through the PDF viewer built into the mobile version of Apple's Safari browser.

Earlier this week, the German IT security agency warned that criminals could exploit the PDF vulnerability to infect mobile devices with malware without the user's knowledge.

Possible scenarios for attacks by cyber criminals include extracting confidential information such as passwords, accessing the device's cameras or location data, and listening in on phone conversations, the German IT security agency said.

Apple has issued a statement that it is aware of the issue and is developing a fix that will be available to customers in an upcoming software update, but has provided no indication of when that will be.

When asked for an indication of when users could expect an update, and Apple spokesman said: "There is nothing further to announce at this point of time."

The next scheduled update of iOS is in September, but security experts say Apple should not delay in releasing a security update sooner.

It is essential Apple closes this vulnerability as quickly as possible before it is abused with malicious intent, says Graham Cluley, senior technology consultant at Sophos.

"All eyes now turn to Apple to see how quickly it can secure its users from what could be a vector for iPhone/iPad malware infection. Leaving a security hole like this open is simply inviting malicious hackers to exploit it," Graham Cluley wrote in a blog post.

Ironically, the only protection available until Apple releases an update is a patch released by producers of JailbreakMe 3.0 that can be run only on jailbroken devices. The patch, called "PDF Patcher 2," is available on the Cydia app store, according to InfoWorld.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy