German government warns of critical iOS flaws

German government warns of critical iOS flaws

More often than not when we post warnings about security ‘issues’, the information has been unearthed by insecurity outfits eager to turn a buck flogging their own solutions to the problems.

Every dire treatise about a worm or trojan or phishing attack or malicious malware malarkey normally ends in a well placed plug for one virus killer or another.

So its quite rare to receive a security warning from and actual honest-to-goodness government.

Germany has stuck its toes into the murky waters of online security before now, warning its populace that Internet Explorer was holier than the Pope’s string vest, and telling them to go elsewhere for their web browsing needs.

Today’s bout of governmental Chicken Little-ism propagated by Germany’s IT security agency the Bundesamt für Sicherheit in der Informationstechnik (BSI) warns of what it calls ‘new vulnerabilities in Apple’s operating system IOS’.

A statement on the organisation’s web site (in German) warns that Apple’s mobile operating system iOS is vulnerable to maliciously-crafted PDF files which can infect iDevices without installing additional malware.

“The potential vulnerabilities allow attackers to access the entire system with administrative privileges,” reads a Google translation of the warning, adding: “So far, no patch is available for these vulnerabilities.”

The PDF flaw may affect the iPhone 3G and iPhone 4, all iPad flavours and all iPod Touches running iOS up to and including version 4.3.3

We suspect that the vulnerability is the same one used by the current web-based JailbreakMe exploit which unlocks the innards of an iDevice allowing software not screened by Apple to be installed.

In an ironic twist of fate, there is a patch for the PDF flaw, but it only works on jailbroken devices.

The BSI warning says that, although no actual attacks have been detected, the vulnerabilities are publicly known, malicious code is available, and that attackers are, in all likelihood, beavering away on exploits at this very moment.

“Possible attack scenarios for cyber-criminals include the reading of confidential information (passwords, online banking data, calendars, e-mail content, text or contact information), access to built-in cameras, the interception of telephone conversations and the GPS localization of the user,” reads the statement.

Until Apple provides a patch, the organisation is warning users not to open PDF documents from unknown or untrusted sources included those embedded in web sites and emails.

It also says that Internet browsing should be restricted to ‘trusted web sites’.

The BSI says that it is in contact with the Apple and will report on new safety information as and when it is available, predicting that the company would provide a security update but giving no time-scale.

Apple said it did not comment on security issues.

Leave a comment on this article

Topics