(stovak)
Better not load any PDFs on your iPhone for a while, not unless you want to risk handing over total control of your device to hackers. The exploit affects all iOS 4 iOS 3.1.2 and higher devices, including the iPod touch and the iPad.
The malicious code lurks inside a font inside the PDF and when you go to view the document, it causes something called a “stack overflow” which fills up the memory. During the ensuing crash, the program can slip into your device and do anything it wants. Anything, from deleting files, to install secret monitoring programs, to automatically calling 911 every time you make a phone call, to constantly shouting insults at you. Anything that can be programmed can be done.
So until they patch this bug, best just wait to view any PDFs until you’re at your home computer.
Apple Security Breach Gives Complete Access to Your iPhone [Gizmodo] (Thanks to GitEmSteveDave!)
More From Consumerist
-
Proactiv Has My Box Of Skin Cream, Sends Collections After Me Anyway
-
See All The Pink On This Map? Those Are The 19 Million Americans Without Broadband Access
-
LG Rep: Washers And Dryers Are Not Meant To Last
-
I Have No Sandwich Delivery And Local Jimmy John’s Loses Business Because Of Stupid Manager
-
Fairmont Hotel Decides That Handicap Spot Is Really Intended For Taxi Cabs
Stack overflow? Really? That’s so Windows 98.
You would a company that manufactures computers could get this right.
Ten bucks that Apple instantly blames Adobe.
You beat me to it.
Same here, I was thinking more of a “abode’s revenge” type topic.
Apple is using its own PDF viewer and code Adobe has nothing to do with this.
Since when has Apple let facts get in the way, though?
*sarcasm disclaimer* What are you talking about? There is no problem with Apples PDF viewer!! Steve said your just holding it wrong!
Sadly most people would believe it too, but more importantly – Adobe wrote the spec, not the viewer
.
Now, now, we all know it is Bush’s fault…
I honestly didn’t even know I could view PDF’s on my iTouch.
Yup, you can view a pdf from an email attachment or web link.
I really don’t understand why so many people buy the pdf viewers from the app store.
This article is ridiculous…everyone knows that apple products are immune to hacking and viruses. It’s more likely that hackers broke into the Consumerist’s server, which is PROBABLY a PC, and uploaded this fake story to freak everyone out.
Shame on you, hackers!
Wow, I love this so much.
WIN!
True enough, but what the article isn’t really saying is that you have to load a special, evil pdf file. The pdf that your boss just emailed you is probably okay. Unless your boss got it from the wrong place.
While that’s true, a malicious ad on a website could open such an evil PDF in a small iframe.
Zach Galifianakis has three iPhones?!
Heh, heh, heh. Just watched his special on Netflix over the weekend. That guys is too funny.
You would think by now that programs would have a built in feature to handle stack overflows. I’m a programing rookie, so I don’t know if that’s feasible, but it sure would be nice.
There are many languages that don’t allow for buffer overflows. Usually any language that has managed memory is immune.
And for others you can create or buy libraries that do not have this problem. There are programs to check the final executable for buffer overflows, memory leaks etc. And even still, there are some hardware implementations that handle things like this. Since Apple has complete control over the hardware and software they should fix this vulnerability. …unless of course they want to not only control what apps you can buy, ebooks you can read, but also any content you can read from the internet.
They would if they could.
Unless you’re coding on iOS4, where you’re forbidden from using any language or API that Apple hasn’t expressly vetted!
Apple bears some blame in using a language/platform from the ’80s that still allows buffer overflow (Objective-C).
However, Adobe has shown time and again that their code (Reader or Flash) can make any system unstable. My PS3 will lock up after watching too many Flash movies in the browser!
Oops, I guess this is all Apple code. Apple bears the full responsibility here!
But… but… walled garden!
“You’re opening your PDFs wrong”
-Steve
A Heavenly and Divine Exploit, for your Magical and Revolutionary Smartphone.
Not that you would want to read a PDF on your phone anyways unless it was only a couple pages… Same logic as to why you would not watch the Lord of the Rings trilogy on your iphone. Personally, I enjoy my neck, back and eyes.
You have to hold press your hand over a little gap on the edge of the phone to keep from achieving a full stack.
I don’t know… I’m a bit skeptical considering the source of the article.
Can we finally accept the fact that viruses did not affect Apple products because very few people cared about Apple products. Not because Steve Jobs touched each one personally, infused it with his divine powers and thus made it immune from any virus.
Now that Apple products are used by many people, they make a good target.
to be fair, no one in the apple camp (that i know of) ever bet on infinite immunity. this article states that at least since 2002, apple was recommending AV software to its mac users.
http://news.cnet.com/8301-1009_3-10110852-83.html
fanboys certainly purport immunity, but the truth is that the assholes that write malware will exploit whatever they can, whenever they can. too bad they lack the cognition to put any of that energy toward anything productive – except maybe that ATM jackpot exploit – that seems pretty productive. =P
Apple can just release a security patch whenever they feel like breaking the latest popular jailbreak. What a load of crap.
Totally true. Except, how many people are not going to notice that their phone is suddenly rebooting and behaving weird?
I’m surprised that nobody’s mentioned that there are only about a half dozen people in the world that know how to make use of this exploit and they’re all pert of the jailbreaking community. They’re not talking about how it’s done to anyone and they used it to create http://www.jailbreakme.com the jailbreak for all iOS devices running all firmwares that is executed by going to the site from your device’s Safari browser. There’s also a fix for jailbroken devices that helps prevent this from happening IF anyone else figures out how to do it.
But yeah, way to fear monger.
I should clarify, the Gizmodo article mentions that stuff, but who ever clicks through to the source articles?
Actually, there is information on how to do this on the newsgroups, and that’s also where the hackers hang, so at this point several thousand at minimum know how to do this.
I DON’T THINK THERE IS ANY WARNING THAT YOU ARE ACCESSING A PDF!
The “jailbreakme.com” site uses it and it just briefly says it is downloading, but nothing about a PDF.
Unlike firefox, or even most browsers on windows, there is no way to alter the behavior of Safari so as to not try to download/view PDFs (Thank you Steve Jobs for locking us in with the flaws).
You can theoretically disable javascript but then sites don’t work (nothing like noscript that disables on a per-site basis), but you won’t be able to tell shortened URLs point to PDFs, so if someone tweets one? Buys a banner ad?
As far as I know, the only way to prevent the problem is not to surf anywhere that you don’t trust has secured things.
Or jailbreak the phone using the exploit and disable PDF viewing.
I’m jailbroken and have a file to prevent this from happening.
There have been security problems with PDF files for a while now. Adobe has one that up until very recently was exploitable.
It’s a new found issue. It will get fixed.
But because Apple is involved, the haters are out en masse, as expected.