WOW. That is an amazing hack. And a real one too! Nice catch.
I looked at the code too, very well done. I expect it patched by morning, but, they did a very good trick. Using the PDF interpreter to load code through Safari.
Of course, this only lends MORE Credibility to Job’s resistance to Adobe’s Flash. Adobe invented PDF too.
61 lines of code. Very elegant actually.
This is the code for my version of the iPhone while I wait for my White 4.
-—— SAFE JUST A COPY ———
1.
%!PS-Adobe-3.0
2.
%%Pages: (atend)
3.
%%BoundingBox: 0 0 0 0
4.
%%HiResBoundingBox: 0.000000 0.000000 0.000000 0.000000
5.
%%Creator: GPL Ghostscript 871 (pswrite)
6.
%%CreationDate: 2010/08/02 20:22:49
7.
%%DocumentData: Clean7Bit
8.
%%LanguageLevel: 2
9.
%%EndComments
10.
%%BeginProlog
11.
% This copyright applies to everything between here and the %%EndProlog:
12.
% Copyright (C) 2010 Artifex Software, Inc. All rights reserved.
13.
%%BeginResource: procset GS_pswrite_2_0_1001 1.001 0
14.
/GS_pswrite_2_0_1001 80 dict dup begin
15.
/PageSize 2 array def/setpagesize{ PageSize aload pop 3 index eq exch
16.
4 index eq and{ pop pop pop}{ PageSize dup 1
17.
5 -1 roll put 0 4 -1 roll put dup null eq {false} {dup where} ifelse{ exch get exec}
18.
{ pop/setpagedevice where
19.
{ pop 1 dict dup /PageSize PageSize put setpagedevice}
20.
{ /setpage where{ pop PageSize aload pop pageparams 3 {exch pop} repeat
21.
setpage}if}ifelse}ifelse}ifelse} bind def
22.
/!{bind def}bind def/#{load def}!/N/counttomark #
23.
/rG{3{3 -1 roll 255 div}repeat setrgbcolor}!/G{255 div setgray}!/K{0 G}!
24.
/r6{dup 3 -1 roll rG}!/r5{dup 3 1 roll rG}!/r3{dup rG}!
25.
/w/setlinewidth #/J/setlinecap #
26.
/j/setlinejoin #/M/setmiterlimit #/d/setdash #/i/setflat #
27.
/m/moveto #/l/lineto #/c/rcurveto #
28.
/p{N 2 idiv{N -2 roll rlineto}repeat}!
29.
/P{N 0 gt{N -2 roll moveto p}if}!
30.
/h{p closepath}!/H{P closepath}!
31.
/lx{0 rlineto}!/ly{0 exch rlineto}!/v{0 0 6 2 roll c}!/y{2 copy c}!
32.
/re{4 -2 roll m exch dup lx exch ly neg lx h}!
33.
/^{3 index neg 3 index neg}!
34.
/f{P fill}!/f*{P eofill}!/s{H stroke}!/S{P stroke}!
35.
/q/gsave #/Q/grestore #/rf{re fill}!
36.
/Y{P clip newpath}!/Y*{P eoclip newpath}!/rY{re Y}!
37.
/|={pop exch 4 1 roll 1 array astore cvx 3 array astore cvx exch 1 index def exec}!
38.
/|{exch string readstring |=}!
39.
/+{dup type/nametype eq{2 index 7 add -3 bitshift 2 index mul}if}!
40.
/@/currentfile #/${+ @ |}!
41.
/B{{2 copy string{readstring pop}aload pop 4 array astore cvx
42.
3 1 roll}repeat pop pop true}!
43.
/Ix{[1 0 0 1 11 -2 roll exch neg exch neg]exch}!
44.
/,{true exch Ix imagemask}!/If{false exch Ix imagemask}!/I{exch Ix image}!
45.
/Ic{exch Ix false 3 colorimage}!
46.
/F{/Columns counttomark 3 add -2 roll/Rows exch/K -1/BlackIs1 true>>
47.
/CCITTFaxDecode filter}!/FX{<</EndOfBlock false F}!
48.
/X{/ASCII85Decode filter}!/@X{@ X}!/&2{2 index 2 index}!
49.
/@F{@ &2<<F}!/@C{@X &2 FX}!
50.
/$X{+ @X |}!/&4{4 index 4 index}!/$F{+ @ &4<<F |}!/$C{+ @X &4 FX |}!
51.
/IC{3 1 roll 10 dict begin 1{/ImageType/Interpolate/Decode/DataSource
52.
/ImageMatrix/BitsPerComponent/Height/Width}{exch def}forall
53.
currentdict end image}!
54.
/~{@ read {pop} if}!
55.
end def
56.
%%EndResource
57.
/pagesave null def
58.
%%EndProlog
59.
%%Trailer
60.
%%Pages: 0
61.
%%EOF
Rachel, you should know that the PDF Viewer in iOS was 100% written by Apple - Adobe had nothing to do with other than being the source of the file specification.
This hole does NOT exist in Adobe's reader - only the one that Apple created. This is Apple's - and Apple's alone - major security hole.
You can now apologize for calling me a liar and much worse when I said there were holes in iOS. Including one that gives a website 100% unrestricted root access to an iPhone, but just browsing to that site.