The recent Mobile Safari based jailbreak exploit takes advantage of a bug in Apple’s PDF font rendering frameworks to have your iPhone 4, iPad or iPod Touch execute a piece of code.
Whilst this is very handy if you want to jailbreak your iPhone with jailbreakme, it actually means that any web site can run anything it wants on any iPhone, iPod or iPad. All someone has to do is get you to navigate to a web page with the malicious PDF file on it.
Unfortunately unless you jailbreak your iPhone you are going to have to wait for Apple to issue a full iOS update to fix this security hole. In the meantime be careful of the sites you visit. If you are duped you will not be given the option to not download the PDF once you have clicked on the page it is on.
If you have jailbroken your device, or plan to, then Cult Of Mac has published details of how to patch your iPhone, iPad or iPod Touch running iOS 4, so that it is not vulnerable anymore. This patch installs a pop up that asks you if you are sure when you try to open a PDF file..
From Cult Of Mac :
This patch doesn’t fix the hole, but it does pop up a warning asking you if you want to open a .PDF file. If you trust the source of the PDF file, you hit ‘Load.’ If not, ‘Cancel.’
Download this this .deb file from Will Strafach (@cdevwill) and open it on your your iOS device using iFile, a file manager that can be installed using Cydia. (Note: Strafach says he’s working on an easy-to-use app to install the .deb file that will be released to Cydia on Tuesday as PDF Loading Warner).
Navigate to /var/mobile
Double tap the .deb file to install it.
If you navigate to a website that tries to automatically open a PDF file, the following warning box will pop up:
“View File? The application wants to display a PDF on your device. There is a known bug in the PDF loading code that makes the running of arbitrary code possible, which could compromise your system. Are you sure you want to continue?”
If you use this patch please let us know in the comments how it is behaving for you..