Most folks would have heard about the new iPhone jailbreak by now. What's less known is how the new web-based jailbreak of the iPhone makes use of not one, but two different security flaws in order to work its magic. The first step exploits a flaw in how Safari processes fonts within PDF files, allowing code to be injected or arbitrarily executed.

This code is then used for the second step, which exploits a vulnerability in the kernel to break out of the usual sandbox restrictions within the Safari browser and to gain access to elevated access privileges. And to remove restrictions preventing Apple-approved software from running, of course.

However, this particular jailbreak is ringing alarm bells with security analysts, especially since it entails nothing more than visiting a specific web address. Even David Marcus, a security research and communications manager at McAfee Avert Labs now voices doubts about the latest jailbreak. While confessing to jailbreaking iPhones to get at security and command-line software that's not otherwise available, Marcus summed up his concerns in a blog post: "Vulnerabilities with reliable exploit code tend to get reused and repurposed for other attacks/malware/uses."

I have some thoughts about this, which I highlight in today's editorial.

For more on this story:
- check out this article at InformationWeek
- check out this article at eWeek 

Related Articles:
Feds say jailbreaking phones is legal
AT&T ushers out era of unlimited mobile data
AT&T, Apple struggle with iPhone 4 demand
iPhone 4 sells out on a pre-order basis
Apple unveils iPhone 4
Apple maintains ban on Adobe with iPhone 4.0
Lessons from the AT&T/iPad user email address leak