Apple patches security hole in pair of iOS updates
By Dan Moren, Macworld
As promised last week, Apple delivered a patch to fix a pair of security vulnerabilities on iOS devices. The patch came in the double-barreled form of iOS 4.0.2 for iPhone and iPod touch and iOS 3.2.2 for iPad, both of which the company released on Wednesday.
The security patches are the only changes in the updates, but they’re significant ones. The first addresses a flaw in PDF handling that could allow a maliciously-crafted PDF to execute arbitrary code; the second hole allowed code to gain escalated privileges, allowing it to potentially affect other installed applications as well as the iOS software itself.
The pair of vulnerabilities were first uncovered by hackers, who used the combination of the two to enable jailbreaking of iOS devices via the Web. Security experts quickly cautioned that a maliciously crafted PDF could theoretically use the hole for other, more nefarious purposes. Apple investigated the problem and said last week that it would soon offer a fix for the holes.
Both updates are available via iTunes upon connecting their respective iOS devices, but update size will vary by device model. iOS 4.0.2 is compatible with any iPhone 3G, iPhone 3GS, iPhone 4, or second- and third-generation iPod touch running iOS 4.0 or later; iOS 3.2.2 is compatible with iPads running iOS 3.2 or later.