Apple said two weeks ago that it was aware of an iOS security flaw that could leave iPhone and iPad users vulnerable to attack via malicious PDF files. The exploit could have been used by hackers to gain access to Apple mobile devices and view user data, or infect the devices without user knowledge. Apple promised an update to patch the flaw, and it’s available now through iTunes.
Software version 4.3.4 promises to fix the critical security issues, along with other minor bug fixes. According to Apple’s security update page:
Available for: iOS 3.0 through 4.3.3 for iPhone 3GS and iPhone 4 (GSM model), iOS 3.1 through 4.3.3 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.3 for iPad
Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in FreeType’s handling of TrueType fonts. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution.
The update is for GSM models of the iPhone 4, iPhone 3GS, iPad 2 and third and fourth iPod touch models. For the CDMA iPhone users on Verizon, software version 4.2.9 is available.
There is also an IOMobileFrameBuffer fix:
Available for: iOS 3.0 through 4.3.3 for iPhone 3GS and iPhone 4 (GSM model), iOS 3.1 through 4.3.3 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.3 for iPad
Impact: Malicious code running as the user may gain system privileges
Description: An invalid type conversion issue exists in the use of IOMobileFrameBuffer queueing primitives, which may allow malicious code running as the user to gain system privileges.
If you own any of the aforementioned devices, and haven’t yet updated your software, it is highly recommended you do so in order to protect your device from any malicious software or attacks. Be sure you have time, however, as the file size for the software fix is close to 700MB. Depending on your connection speed, the total download and update time may take up to 25 minutes.