An Apple patch for a jailbreak vulnerability has already been broken.

At the end of last week, Apple released an iOS update to version 4.3.4 to close a hole used by the website ‘JailbreakMe' that appeared earlier this month. Two of the fixes in the update were for font handling issues in PDFs that allow for remote code execution, while the third fix was in the graphics handling code and can be exploited to allow for elevation of privilege.

Chester Wisniewski, senior security advisor at Sophos Canada, said that the ‘JailbreakMe' hack used at least two of the three flaws to jailbreak the iDevices by initially downloading a PDF to gain the ability to run arbitrary code and then sending down a PNG file that elevated itself to root to perform the jailbreak.

Andrew Storms, director of security operations for nCircle, said: “Apple released this fix less than ten days from the time it went public on 6th July, just like they did last time there was a serious jailbreak vulnerability. These vulnerabilities have been getting a lot of attention from security researchers because the exploits appear to overcome a number of security features on the iPhone. If this turns out to be the case, Apple could be in for some serious problems.”

However Paul Ducklin, head of technology for Sophos Asia Pacific, said that the jailbreakers are claiming to be back in, with reports claiming that a new jailbreak is available.

According to redmondpie.com, this new jailbreak method does not work for iPad2 users and cannot be done by visiting a website. Wannabe jailbreakers will need to do a tethered jailbreak and need to re-jailbreak the device every time they reboot.

Ducklin said: “Nevertheless, Apple's latest security fix has been circumvented already. With this in mind, the tricky question becomes ‘whom should I trust more, Apple or the jailbreakers?' I can't answer that question and if your iDevice is provided by your company, you shouldn't try to answer it by yourself.

“So if you're thinking of jailbreaking, ask yourself, ‘do I distrust the jailbreakers?' If not, then jailbreaking may be for you. Just be sure to read all the security guidelines associated with the process and be sure you have the explicit permission of the owner of the device.”

Facebook scammers have latched onto the buzz around Google+, as the theme for a new scam that has already claimed thousands of fans victims.

A fake app, called "Google Plus Direct Access", prompts users to visit a page on the social networking site they need to "like" in order to progress: a process that hands over personal information to the unknown developers of the dodgy app. Wouldbe victims are falsely offered a chance of getting an invitation to Google+, it is implied, in exchange for spamming their friends with invites to try out the rogue app.

In reality victims only succeed in further publicising the rogue app, which falsely claims that it offers a means to "Invite 50 friends!" onto Google+.

The whole ploy, which might easily be altered to promote sites harbouring malware on running privacy-threatening survey scams, is already serving as an efficient spreading mechanism.

Net security firm BitDefender reports that the tactic has allowed the dodgy application to gain more than 15,000 fans in less than a day.

"This scam highlights the importance to cybercriminals of 'trendjacking' the latest big news in order to exploit people's natural curiosity," said Catalin Cosoi, head of BitDefender's online threats lab. "With high press coverage and the estimated number of users approaching 10 million, Google+ certainly fits the bill as a hook for this sort of activity."

Stats from BitDefender's Safego Facebook security app suggest that 25 per cent of users had seen some form of malicious content shared by one of their friends at one time or another.

Net security firm Sophos echoes BitDefender's warning, adding that social networking users need to be careful about what application they allow, a precaution that especially applies when the basic premise of an app is suspicious. Easy invitations to Facebook's new rival in the social network market is hardly something you'd think the Zuckerberg-run outfit would be looking to encourage.

"You should also exercise great caution about what third-party apps you allow to access your Facebook records, especially when they are demanding the ability to post to your wall and grab personal information such as your date of birth and current location," Sophos warns.

A full write-up of the Google+ invite scam, along with advice on how to clean up your profile after mistakenly installing this type of app, can be found in a blog post by Sophos here.

Off the back of our Today's Threat Landscape events which demonstrated how the unpatched vulnerabilities in Adobe PDF software can be exploited by cybercriminals, The Register have published figures about the scale of the problem.

Six out of every 10 users of Adobe Reader are running vulnerable versions of the ubiquitous PDF reader package, according to stats from freebie anti-virus scanner firm Avast.

Adobe applications, behind only browsers and Microsoft Office as a favourite target for hackers, are regularly the target of Trojan-based hacking attacks, often featuring maliciously constructed attachments. Sometimes these attacks take advantage of unpatched vulnerabilities, a scenario applied to targeted attacks, but more often than not, malware writers attempt to exploit well-known, patched security bugs.

Users who fail to keep Adobe Reader up to date are therefore leaving themselves at a much greater risk of malware-based attack. Avast reckons 60.2 per cent of its customers who use Adobe Reader were running a vulnerable version of the program. Only 40 per cent of users had either the newest Adobe Reader X or were fully patched.

One in five users also had an unpatched version of Adobe Reader that was at least two generations old (8.x), it adds.

Adobe Reader was used by 80 per cent of Avast's users. The next most common PDF reader application, Foxit, featured in just 4.8 per cent of installations.

"There is a basic assumption that people will automatically update or migrate to the newer version of any program," said Ondrej Vlcek, CTO at AVAST Software. "At least with Adobe Reader, this assumption is wrong – and it's exposing users to a wide range of potential threats."

Knowing applications might be vulnerable, never mind keeping them up-to-date, is tricky, especially for non tech-savvy consumers. And if updating computers is laborious and time-consuming – as has historically been the case with Adobe software updates – this compounds the problem. Patching utilities, such as Secunia's PSI tool – which is free for consumers – can certainly help, but application developers also have a responsibility to make patching as painless as possible.

Although it is possible for users to be protected by running fully-patched versions of either Reader 8.x or 9.x, Adobe encourages users to upgrade to Adobe Reader X with Protected View (aka "sandboxing"). Windows users are further encouraged to opt into the automatic update option built into the latest version of Adobe's software.

The prevalence of malware attack against Adobe applications has encouraged some security firms, most notably F-Secure, to advocate the use of alternative PDF Reader packages, essentially because they are less likely to be attacked. As F-Secure points out, the PDF specification supports the ability to launch executables or run JavaScript, functionality that most legitimate documents will never need but features that provide rich pickings for malware creators.

"With specs like these, it's no wonder it takes ages for Adobe Reader to boot up and load all the plugins," Mikko Hyponnen, chief research officer at F-Secure, notes. "[And] It's no wonder there are regular security problems with PDF readers in general."

The Apple iOS contains multiple vulnerabilities when a PDF is viewed.

According to the German federal office for information security, the Apple iOS can be penetrated when a user clicks on a crafted PDF or directed to a malicious website that complies with the document. This, it said, is sufficient to infect the mobile device with malware and the potential vulnerabilities could allow attackers to access the entire system with administrative privileges.

A report said that iOS up to and including 4.3.3 is affected but it could not be sure that other versions of the operating system are unaffected. While no attacks have been observed, it said that it expects that attackers are exploiting vulnerabilities in the wild.

The federal office recommended users do not open PDF documents from unknown or untrusted sources on Apple devices, including PDFs that are provided in the context of websites. It said that it is in contact with Apple and it expects Apple to release a security update that fixes the vulnerabilities soon.

An Apple spokesperson told The Associated Press he was aware of the warning, adding that Apple would not comment on it.

Mikko Hypponen, chief research officer at F-Secure, said that the threat is as serious as the last time that jailbreakme.com was using a zero-day but then nothing bad happened as Apple patched fast.

He said: “If things turn bad and we see an iPhone outbreak via the new PDF vulnerability, there's not much you can do as there are no anti-viruses available on iPhone.”

However he also said that until Apple releases a fix, only jailbreakers will be safe from this specific attack. “I don't really recommend that anyone jailbreak their phone, because it breaks other parts of the security model of the phone and may introduce new vulnerabilities. But the bottom line is that right iPad or iPhones have an unpatched zero-day vulnerability, and the only way to patch it is to jailbreak the phone,” he told Forbes