Vulnerability in Apple iOS 4 allows attackers to remotely execute any code

New in Apple iOS 4 allows attackers to remotely execute any code with superuser privileges. To infect, it is enough to go to a specially prepared web page in the browser. The attack is as follows: using javascript, as a picture, a specially prepared pdf file is loaded. When displaying this document, iOS 4 unpacks the font embedded using FlateDecode in PDF, an attempt to display which causes a stack overflow, and then a matter of technology. Schematically, this attack looks like this:


Based on this vulnerability, the jailbreakme.com service has been built for several days. The user of any Apple product on iOS 4 just go to this page from his device and press a button so that his phone becomes jailbroken. Vulnerability is considered critical because the attack is transparent to the user, and the attacker gets full access to personal data, including local application data, address book entries and passwords in the browser, as well as the ability to transfer them over the network. No comments from Apple have yet been received, the only way to protect your device is to jailbreak it and install a special utility that will issue a warning about browser attempts to open any PDF document.

Via Gizmodo , Digdog , Gadgetfreaks