As we had speculated, Apple is about to release a fix for a flaw in the mobile edition of Safari. The bug had been exploited by enthusiasts to allow a simple, no-computer-needed form of jailbreaking, but had the potential to be used for more sinister purposes.
Although the jailbreaking technique was packaged to resemble an app (for user comfort rather than to mislead people), it actually involved visiting a page in Safari on an iPhone or other device. It now appears the technique took advantage of two distinct flaws in the browser: one was that the way it handled PDF files allowed code to get into the browser, and the other was that that code could then get out of a protected ‘sandbox’ within Safari and get into the root control of the entire device.
While many people looking at the situation noted that the flaws could pose a serious security risk if used by malicious sources, Apple first responded to the issue after a warning by the German government. That’s not unusual: Germany has a department dedicated to information security and regularly advises the public against using particular pieces of software while a bug remains unpatched.
Apple now says: ” We’re aware of this reported issue, we have already developed a fix and it will be available to customers in an upcoming software update.”
In the meantime, it’s probably safer for iPhone users to steer clear of opening PDF documents in Safari, including via search engine results lists. While there’s no evidence yet of hackers exploiting the flaw, any hoping to do so will be acting quickly in a hope of getting to devices before they are updated.
The people behind the jailbreaking trick, the iPhone dev team, have kept busy however: they’ve now extended their network unlocking tool ultrasn0w to cover the iPhone 4.