Days after jailbreaking Apple mobile devices was legalized by the U.S. Copyright Office, a developer known as “Comex” released a very easy-to-use tool that works on iPhone 4.0, iPhone 3G, and iPod Touch 3G devices, among others. The tool dubbed JailbreakMe can be downloaded from a site that can be accessed via Mobile Safari. Jailbreaking allows users to modify the OS of their Apple mobile device, which will, in turn, allow them to install various non-Apple applications onto their devices. It should be noted, however, that jailbreaking an Apple mobile device nullifies its warranty.
JailbreakMe Exploits Two iOS Vulnerabilities
JailbreakMe may appeal to Apple mobile device owners who want to run applications that they cannot otherwise install onto their devices. Using this tool, however, comes with certain risks. In fact, upon closer inspection, TrendLabs engineers found that JailbreakMe exploits two vulnerabilities in order to run non-Apple apps on Apple mobile devices.
The first vulnerability has to do with how Mobile Safari handles .PDF files. Cybercriminals may distribute specially crafted .PDF files that exploit a program flaw in Free Type 2, a font engine that opens and processes font files used in PDF readers, Web browsers, and other applications. This vulnerability has to do with how Free Type 2 handles some Compact Font Format (CFF) opcodes, which when abused, can result in stack corruption.
Stack corruption aka stack buffer overflow occurs when a program writes more data than is actually allocated to a buffer. This almost always results in the corruption of adjacent data on the stack. Cases wherein an overflow is triggered by mistake often cause a program to crash or incorrectly operate. This can, in turn, allow arbitrary code execution on an affected system.
An integer overflow occurs when a numeric value assigned to a program is larger than the assigned storage space. This can lead to unintended behaviors such as a buffer overflow. This can then allow cybercriminals to gain the same system privilege as a device user and run malicious code on an affected mobile device.
Users who download JailbreakMe via Mobile Safari were found to have downloaded a specially crafted .PDF file (aka TROJ_PIDIEF.HLA) that contains the jailbreaking code instead. The said file exploits a vulnerability in how the device handles CFF fonts, which can result in memory corruption.
Though the file does not exhibit any malicious payload, it can still be easily used to instigate cybercriminal attacks targeting iOS devices. In fact, Trend Micro advanced threats researcher Joey Costoya believes that the fact that the PDF exploit has been made public on the jailbreaking site can allow virtually anyone to create a malicious .PDF file using the said exploit.
User Risks and Exposure
There is a high probability that the technique JailbreakMe employed to jailbreak Apple mobile devices will be used to spread malware, especially as the tool is readily available on the Web. The increasing popularity of Apple mobile devices among consumers may even turn jailbreaking into a new infection vector for cybercriminal use. To prevent becoming victims of cybercrime, think twice before downloading any tool off the Internet, as the security risks it brings may outweigh the rewards. In response to this threat, Apple recently released a security patch to resolve the aforementioned vulnerability. We thus strongly advise users to immediately update their mobile devices by visiting this page.
For even better protection, users may download Trend Micro Smart Surfing for iPhone, which blocks access to malicious sites, including the site where JailbreakMe is hosted.
Trend Micro Solutions and Recommendations
The Trend Micro™ Smart Protection Network™ infrastructure delivers advanced protection from the cloud, blocking threats in real-time before they reach you. A global network of threat intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grows, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall protection against data breaches, damage to business reputation, and loss of productivity.
In this particular attack, Smart Protection Network’s file reputation technology immediately detects and deletes malicious files like TROJ_PIDIEF.HLA from infected products. Web reputation technology, on the other hand, blocks user access to malicious sites from which the malware may be downloaded.
The following post at the TrendLabs Malware Blog discusses this threat: