Apple patches, does not acknowledge, iOS malware vulnerabilities

Friday, Apple released an update to its mobile operating system (iOS 4.3.4) which patches a couple of vulnerabilities that left a door open for malware infections on the iPad, 3rd and 4th generation iPod touch, iPhone 4, and iPhone 3GS.

Apple's update describes the CoreGraphics vulnerability as "A buffer overflow…in FreeType's handling of TrueType fonts. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution."

The second part of the vulnerability, pertaining to the IOMobileFrameBuffer framework, is described as "An invalid type conversion issue…in the use of IOMobileFrameBuffer queueing primitives, which may allow malicious code running as the user to gain system privileges."

The exploitation of these two vulnerabilities could give an attacker the ability to shut down or even control an iOS device with an appropriately crafted PDF file.

This update comes on the heels of an alert from German IT group BSI, which
warned of an unpatched vulnerability that would "allow attackers to gain access to the entire system with administrative privileges."

Apple did not directly address the report, saying it does not "disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."