After all the trouble Apple went to to secure the boot loader, I expected this to be a really complicated procedure. I saw the Tweet today and I went on the site, clicked on "install" and Cydia started installing.
I was blown away. How is this even possible? Did they find another userland exploit that allows you to write to the boot loader? I am very, very impressed.
"Q: Do the holes discovered by @comex put my device at risk?
A: Yes. We recommend installing PDF Patcher 2 in Cydia once you’re jailbroken to eliminate this risk (any firmware version)."
PDF really is the most dangerous file format around today.
Did you know the PDF spec includes its own LISP-like language? As well as basically anything else you can imagine. It is surely impossible to write a secure, conformant PDF reader.
If I ran any kind of super-sensitive organisation I'd include an outright ban on PDF renderers in my security policy. If anyone really needed to look at PDFs, I'd require them to be rendered down to TIFs or something on a "cleanroom" machine, preferably running some sort of locked-down linux build.
That one wins by not bothering to conform to the PDF spec at all.
The spec is huge, and the insecurity comes from having to faithfully implement all its utterly insane features, like embedding flash files, executing javascript, rendering external assets, and so on.
The challenge is to decide which subset of those features you want to deliberately ignore.
Most of the esoteric ones are likely critical to obscure, in-house business applications created years ago by corporate coders lacking in sense. Adobe Reader obviously implements everything, and its the reference implementation, so it is installed in most businesses.
Unfortunately, business is the area most in need of security.
Some rich clients deliberately ignore parts of the format. For example, the Windows-based Sumatra client did. It seems to have been acquiring more features in the last few releases, and I'm not sure of its current state. But in the past it has been useful for example in that it simply doesn't run embedded Javascript. Or Flash.
That's been my personal approach, such as it is, to the need to deal with some PDF files from third parties. I look for the environment that does no more than render the static page content.
Somewhat akin to using NoScript in the browser. I only execute when I need to, and then from a source for whom I have some trust.
I recently had to clean up some business systems belonging to a relative whose employee ran an infected PDF. By avoiding execution, I was able to examine the PDF and show them how it was indeed the source of their problems.
Unfortunately, these "business users" still have limited will to learn the techniques to avoid such problems. I've made some impression, but the Adobe PDF format is still a time bomb ticking away in the midst of their organization.
I'll mention that, for casual browsing, I use an extension that redirects PDF URL's to Google's Document Viewer (while not signed in to Google). Again, I get (usually) the static view without having to trust or execute the file on my own system. Thanks, Goog!
(Note that I don't do the latter with documents containing sensitive/personal information.)
The complexity of the PDF specification isn't what's relevant here. Even if pdf.js were to implement all of the PDF specification, it would still be more secure than Apple's renderer, because it's written in a memory-safe language.
This is one of the reasons pdf.js is so important: it reduces the attack surface of the browser.
I can't view the talk right now... do you mean its own scripting language or the fact that PostScript is turing complete? Either way you could execute it in a sandboxed environment and be pretty damn confident there won't be any problems.
Exactly. And look at how much of a nightmare it is every day! Fortunately on the web it is very useful. No need to invite that pain into an environment designed for replicating the printed page though.
And the thing is, the html spec doesnt include js. It specifies a way of marking it up. Thats not the same thing. The core pdf spec actually contains features so powerful, you could almost make a lisp machine out of them. See the video for details.
When you can rewrite your bootloader from the web, I think it's safe to say there is a nasty browser & userland exploit out there for all iPads. Just like rooting an Android-phone without adb or pre-rooted images usually involves OS-level exploits.
The only way to be safe from these is usually to root/jailbreak your system and then patch it up using your newly acquired powers to close the hole before anyone else gets cheeky.
Will be interesting to see if any virus-makers will decide to exploit this before Apple patches it up in a later iOS release.
I was blown away. How is this even possible? Did they find another userland exploit that allows you to write to the boot loader? I am very, very impressed.