iOS 4 Jailbreak Method Brings Security Concerns [Updated]
There is renewed concern today over iOS security after a website-based jailbreaking tool was released for iOS 4 for iPhone and iPod touch and iOS 3.2 for iPad.
While the jailbreak appears to be a relatively benevolent attack against a security hole in iOS, concern remains that there is a yet-unpatched and largely unidentified security vulnerability in iOS that hackers could use in a similar way to remotely plant malware on an unsuspecting victim's device.
Multiple reports suggest that the jailbreak method attacks a flaw in the iOS PDF viewer in order to gain access to the device, however the principal developer of the project "comex" writes via his Twitter account that he is wondering "how long until someone figures out the actual bug I'm exploiting."
A similar jailbreak method was devised for iPhone OS 1.1.1, where developers even fixed the targeted bug after the jailbreak was complete.
Update: More technical details have emerged regarding the security hole that is being exploited in order for the jailbreak to be performed. The remote website presents a PDF that has a specifically crafted font embedded, and it is the processing of the embedded font that has the security issue. Interestingly, Apple had fixed a very similar issue in MacOS with Security Update 2010-003.