Apple Fixes iOS PDF Security Hole With iOS 4.0.2 and 3.2.2

[swoods93631]

Did this update trash anyone else's phone?

Trashed mine, in recovery mode now.. This is the second time this year an OS update has trashed my phone. Pisses me off!

 

[KnightWRX]

Trashed mine, in recovery mode now.. This is the second time this year an OS update has trashed my phone. Pisses me off!

Nope, went smooth as butter.

 

[Bernd]

Is there anyone out there in MacRumorsLAND besides myself that actually did the update? LMAO...

Updated my IPad wish I could have updated my iPod Touch gen 1 to 3.1.4 with a fix but apple has forgotten about the gen 1 devices.

 

[twilson]

Proximity issue = hardware!!!

This is crap.. they will keep themselves from losing money on JB phones.. but won't fix the issue so people can actually use the phone to make calls!!

You'd rather have a phone that can be pwned nice and easy? Bizarre logic you have.

 

[polaris20]

Updated my IPad wish I could have updated my iPod Touch gen 1 to 3.1.4 with a fix but apple has forgotten about the gen 1 devices.

I can't wait to have a gen 1 iPad in a couple years that Apple abandons with security updates, so I'll have a $600 insecure device instead of just a $300 insecure device, like I do now.

 

[Daveoc64]

You'd rather have a phone that can be pwned nice and easy? Bizarre logic you have.

Which is REALLY worse:

1) Choosing to open a maliciously crafted PDF file that does something harmful to your device - remember you'd have to actually get this PDF on your device somehow: by visiting a bad website, attachment etc.

2) Disconnecting your calls by placing the phone to your ear.

I'd say number 2 is far more serious in day to day usage.

 

[Jayman34187]

... is a patch to close up the vulnerability on jailbroken devices, without resorting to doing the whole firmware upgrade that erases all the existing content! Can't someone post a security patch on Cydia?

What I think it is... Apple don't want your Iphone Jailbroken, keyword (YOUR) iphone. Apple want all of the control and want you on Itunes and the App store spending your $$$ which is fine, but go freaking nuts about it why don't ya Apple geez. It's legal to jailbreak your Iphone get over it...It's your device your choice, tired of Apple trying make all of the choices for us.

You guys ever think maybe AT&T networks are pretty bogged down from all the Iphone users? and the sensor problem on Iphone 4 was on purpose, If millions of phones aren't getting a good signal I'm sure that helps out AT&T network from working as hard ya think?? the new OS 4.0 and 4.0.1 are both a problem on my 3GS, it's a hardware problem and one that was created on purpose I believe.. They could fix the problem right away if they wanted to. Why am I having problems on my 3GS now??? never did with 3.1.3 hmmm

 

[Fandango Jones]

This is a weird question, but my cousin stupidly went on Jailbreakme and jailbroke my 4.0.1 iPhone 4, when I didn't want it to be done. Now when I try to recover, it asks me to update to 4.0.2. Will the update unjailbreak it for me or mess me up? :S

 

[nilk]

This is a serious security hole that has been widely publicized and is easy to exploit. Maybe there are no reports of it being maliciously used in the wild, but if I was a virus author, I would certainly be looking at making use of it, and once a virus is written spreading URLs to it through e-mail, SMS messages, Facebook, and whatever means I could think of (infected iPhones would of course send e-mails, SMSes, etc to everyone in the contact list like any competent phone virus would).

1. If you have no intentions of jailbreaking, do the update!

2. If you have jailbroken, install the PDF Loading Warner from Cydia.

3. If you are thinking of jailbreaking, but are on the fence: Make your decision now, jailbreak if you are going to jailbreak, or not, then see #1 or #2 depending on your decision.

It's the morons who do nothing because they can't be bothered that will be responsible when an iPhone virus starts spreading.

 

[Rodimus Prime]

I don't mind having to download a large image. Taking updates and tying them in piecemeal always made me have issues with some other OSes.

then let you restore you iPhone/iPod at every update. I do not mind having to download the entire OS for going from like iOS 3 to 4 but for a minor patch update like this. No need to and shouldn't have 2.

Apple way of fixing this huge security hole is hurt by this method because tons of people out there will not get the update because of the rather large file size. That is why I tend not to update my iPod between versions. It was more trouble than it was worth.

 

[Digital Dude]

No, not officially. You can do it, but it requires third party tools. I was able to downgrade my 3G back to 3.1.2, but it was a process I wouldn't expect non-techies to be able to accomplish easily (I used a command line tool, but I think there is some GUI tool you can use to do the same thing).

I've heard that turning off Spotlight, and then rebooting your phone a few times can fix performance issues, but I haven't tried this.

Well, I'm not all that smart but I can attest the procedure (link below) worked to restore my semi-bricked iPhone 3G back to a functional state. It now ‘just works’ like it use to before iOS 4.x. The folks on this site provide the two required 'point-n'-click' resources, so it's fairly simple albeit the normal time consuming 'restore' process.

http://lifehacker.com/5572003/how-to-downgrade-your-iphone-3g[s]-from-ios-4-to-ios-313

 

[iPhoneFour]

MyWi is awesome

Yup, still thinking of JB my phone. I'm going to hold off on this for now.

Linking my iPad and my (upcoming) Kindle 3 to my iPhone is really nice when you need it. Thanks ATT for screwing up tethering.

Apple + ATT : We have tethering for your iPhone!
Me : great can't wait to link it with my iPad.
Apple + ATT : Well um no we only do bluetooth - even tho the iPad has bluetooth, we're not supporting or updating it.
Me : You make both - and you telling me you can't link them.
Apple + ATT : Correct.

Had no interest what-so-ever in jailbreaking until the above stupidity happened (oh and the govt giving the green light - THANKS LIBRARY OF CONGRESS). Took 3 minutes to fix.

Best part? I had a .pdf fix available before Apple offered it - from Cydia (the jailbreak online store).

And of course I can restore in iTunes if I need to use my warranty Apple, but thanks for the misinformation earlier this month, appreciate it.

 

[danmdan]

As of 10.45 p.m. UK-DST neither update is available in UK. Still shows 3.2.1 and 4 as being up to date.

 

[andys53]

Can anyone test "Handy Light" to see if it breaks the tethering on that easter egg app?

I posted on this earlier but got no replies. Now I've had more time to look it's either broken or very very slow.

 

[KnightWRX]

Which is REALLY worse:

1) Being coerced to open a maliciously crafted PDF file or simply having it linked in the HTML and opening automatically that does something harmful to your device - remember you'd have to actually get this PDF on your device somehow: by visiting a bad website, attachment etc.

Fixed that for you.

Hint, 1) is worse.

 

[Heinekev]

+1.

It's ridiculous they haven't offered a fix for this yet.

+1, getting really disillusioned with Apple over this prox sensor. My phone is literally unusable for voice calls, and it's a business phone.

Took them a week to update something harmless and trivial, and they're still sitting on their haunches over a crippling issue. Must be more to it than a software fix.

****.

 

[twilson]

Which is REALLY worse:

1) Choosing to open a maliciously crafted PDF file that does something harmful to your device - remember you'd have to actually get this PDF on your device somehow: by visiting a bad website, attachment etc.

URL Shortener can easily hide the fact a link is to a PDF, or the PDF could open in a hidden iframe, either way you can still unknowingly open a PDF.

2) Disconnecting your calls by placing the phone to your ear.

I'd say number 2 is far more serious in day to day usage.

Has happened to me once or twice. If you think that Proximity Sensor problem is a bigger issue than the ability to completely take over the phone with an exploit that you can be tricked easily into invoking (and lose god knows what personal information and the like) you need your head examined.

 

[avanpelt]

Proximity issue = hardware!!!

This is crap.. they will keep themselves from losing money on JB phones.. but won't fix the issue so people can actually use the phone to make calls!!

You'd rather have a phone that can be pwned nice and easy? Bizarre logic you have.

Uh no, twilson. This thing is a phone. iCrizzo wants to be able to use it as a phone without muting, conferencing, or ending calls with his cheek. That shouldn't be too much to ask of a phone in the year 2010, should it?

 

[KnightWRX]

Uh no, twilson. This thing is a phone. iCrizzo wants to be able to use it as a phone without muting, conferencing, or ending calls with his cheek. That shouldn't be too much to ask of a phone in the year 2010, should it?

No, but the priority should also be to secure the information contained in the phone so it is not acquired by a malicious third party without your conscent.

Again : iPhone 4 proximity sensor is 1 model suffering 1 issues. This flaw is everywhere iOS is, all models of hardware. One could result in you not being able to stick your phone on your face. The other could result in identity theft, DDoS (using your 3G data and thus your money), Zombie networks.

 

[japanime]

I wish they cared more about the proxy sensor than fixing a stupid jailbreaking hole. Thanks apple, always thinking about the customers.

Apple's built-in Nike+ application also remains broken under iOS4, and they haven't even acknowledged a problem with that.

Somebody mentioned that the latest beta build of iOS4 fixes Nike+, but who knows when that will be released publicly.

 

[wrkactjob]

It's a remote root hole. I can't think of very many things more important.

Whats the worse case scenario?...sorry I have no IT knowledge,but my phone has no sensitive data,it does have some pics of our cats kittens though, would a hacker be able able to view them?

 

[kirk26]

lol how long it took...

Yea, about a week. The Horror!!!!

 

[WannaGoMac]

To those complaining about the size of updates for iOS, reinstalling iOS at each update (especially with recent root escalation exploit) eliminates any malicious software that may have been installed due to an exploit.

This promotes security and saves them from having to include software that can find malicious code to remove it. Such programs (antivirus software) are bloated, eat up resources, and reduce battery life.

I am sure you didn't mean it but this comes across like the biggest Apple apologist statement I have seen in a long time LOL

 

[Den Policarpio]

500mb for a lame update!

+1. Funny because it's true

 

[KnightWRX]

Whats the worse case scenario?...sorry I have no IT knowledge,but my phone has no sensitive data,it does have some pics of our cats kittens though, would a hacker be able able to view them?

So you have no contacts or e-mail or notes or browser cookie or saved bank logins anything at all on the phone ?

Nor do you have a data plan that can be abused for DDoS purposes if your phone is made part of a zombie network costing you money in data usage ?