Monterey Ready! The Only CRM App Made For Your Mac.

How To Prevent iOS From Automatically Loading PDFs [Vulnerability]

Last night JailbreakMe was released in the wild. As we reported, it’s one of the simplest jailbreak tools ever made, as it requires only one slide in Mobile Safari to install Cydia on your device. You visit a link, slide, and wait. As we also reported, though, the exploit seems to based on a PDF vulnerability in iOS: the iPhone automatically downloads PDF files, and Comex injected the jailbreak code in a PDF file.

Update #1: It’s not a PDF header issue, it’s the FlateDecode stream section.

Update #2: Charlie Miller says it’s not the FlateDecode stream section either (the bug Huang suggested it’s in Adobe’s renderer, not Apple’s), it’s a PDF font bug: [via DF]

“Starting to get a handle on exploit. Very beautiful work. Scary how it totally defeats Apple’s security architecture.”

Like I said, it’s pretty great for jailbreakers - but for “normal” people and Apple this is a serious threat to security.

So now that you’ve jailbroken your device, wouldn’t it be best to fix this hole, in order to prevent malicious softwares to land on your phone by using the same technique?

[Check out for our full Cydia / Jailbreak coverage]

Tweeted by @cdevwill earlier today, all you have to do is download this .deb file and open it on your device using either Terminal from your Mac, or iFile on the iPhone. Just download it and place it in /var/mobile.

- Using Terminal:

ssh root@your IP address


dpkg -i file.deb

Where “alpine” is the default password you’ll get after installing Open SSH from Cydia and “your IP address” is located under Settings - > Wifi - > active wifi connection.

- Using iFile:

Navigate to /var/mobile and double tap on the .deb file to install it.

Please be aware that this won’t fix the issue, but it’ll simply ask you if you really want to open a .PDF every single time. If the source is trusted, you can confirm. But if you happen to visit a website that tries to install malicious stuff on your iPhone using @comex’s method, then you’ll be able to kill it.

Apple will surely address the bug in a future iOS release, but if you want to be safe right now - give it a try.

Unlock MacStories Extras

Club MacStories offers exclusive access to extra MacStories content, delivered every week; it’s also a way to support us directly.

Club MacStories will help you discover the best apps for your devices and get the most out of your iPhone, iPad, and Mac. It’ll also give you access to advanced iOS shortcuts, tips and tricks, and lots more.

Starting at $5/month, with an annual option available.

Join the Club.

A Club MacStories membership includes:

  • MacStories Weekly newsletter, delivered every week on Friday with app collections, tips, iOS workflows, and more;
  • MacStories Unplugged podcast, published monthly with discussions on what we’re working on and more;
  • Monthly Log newsletter, delivered once every month with behind-the-scenes stories, app notes, personal journals, and more;
  • Access to occasional giveaways, discounts, and free downloads.