"Due to the nature of iOS, this patch can only be installed on a jailbroken device," said comex in a short FAQ on JailbreakMe. "Until Apple releases an update, jailbreaking will ironically be the best way to remain secure."
Comex also dismissed concerns that others would exploit the vulnerabilities, noting that had not happened in 2010, something Miller confirmed.
"There's always a first time, but I think there's a good chance the security impact of these vulnerabilities will remain theoretical," comex wrote in the FAQ. "I did not create the vulnerabilities, only discover them. Although releasing a jailbreak is certainly not the usual way to report a vulnerability, it still has the effect of making iOS more secure in the long run."
Apple has not patched the bugs in the preliminary versions of iOS 5, the upgrade expected to launch alongside the next iPhone this fall, according to the iPhone Dev Team, another group of software developers who have created jailbreak tools. "But they'll almost certainly be fixed by the time iOS 5 is public," the team said on its own blog today.
Miller said the vulnerabilities used by JailbreakMe 3.0 were new to him.
"I was surprised" by the vulnerabilities and the ensuing exploits, said Miller, who with Dion Blazakis split a $15,000 prize at this year's Pwn2Own for hacking an iPhone.
"When Apple added ASLR [address space layout randomization] to iOS [4.3] in March, I thought we wouldn't see an exploit of it for a couple years," said Miller.
JailbreakMe 3.0 exploits two separate vulnerabilities, said Miller, including one that circumvents ASLR, an anti-exploit technology designed to make it more difficult for attackers to predict available blocks of memory where they can execute their code.
One of the vulnerabilities is in iOS's font parsing code and is exploitable via the PDF viewer built into the mobile version of Safari. The vulnerability does not exist in Mac OS X.
In an interview today and on Twitter, Miller called the JailbreakMe 3.0 hack "good work," "really slick," and "amazing."
Miller recommended that iOS device owners who jailbroke their iPhones, iPads or iPod Touches apply the PDF Patcher 2 fix immediately after hacking the operating system.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers, and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about Macintosh in Computerworld's Macintosh Topic Center.