Since jailbreaking iPhones has been declared legal, security experts have been focusing on the techniques used and speculating about the fact that they can be used by criminals to mount attacks and compromise the devices.
A particular group of what seem to be legitimate enthusiasts has been running a site offering to jailbreak Apple devices (located at jailbreakme.com) for a couple of years now and, according to F-Secure, is currently also offering support for iOS 4. The users just need to surf to the page with their devices and run the offered drive-by script.
Security researchers have made it their business to find out just how the script works, and discovered that it uses specially crafted PDF files to first exploit a PDF font parsing vulnerability affecting Mobile Safari to execute malicious code, then a kernel vulnerability that allows the “attacker” to elevate to root privileges and break out of the sandbox.
The thing that should worry Apple users is that the same exploit could be used for decidedly malicious purposes. Also, if the vulnerability is present in the desktop installation of Safari or OS X, the target group for such an attack is even bigger than initially thought.
So far, there are no indications that the vulnerability has been misused by criminals, although I must say that it seems highly likely that it has. Jailbreaking isn’t exactly a new practice – especially in countries where the devices are locked to allow its use on just one carrier.
Also, if this site exists since 2007, and the same jailbreaking technique has been used since then, why didn’t Apple fix the vulnerability sooner? The company researchers are looking into the issue right now, but it seems impossible they didn’t know about it until now.