iPhone vulnerability announced

But details will have to wait until next week's Black Hat conference.

Researchers at Independent Security Evaluators have announced at least two exploits that take advantage of the way the Apple iPhone opens a specially crafted Web page in Safari. Exact details of the vulnerability exploited will have to wait until a presentation at the end of next week's Black Hat conference in Las Vegas. However, some general information has been offered here.

In a preliminary draft of the Black Hat presentation, ISE researchers Charlie Miller, Jake Honoroff, and Joshua Mason note that there are "serious problems with the design and implementation of security on the iPhone," and they single out the fact that most processes run with administrative privileges. Also the custom operating system within the iPhone does not use address randomization or non-executable heaps, making it easy for someone to create an exploit once a vulnerability is found. The researchers said they found such a vulnerability within the Safari browser through fuzzing. Although the researchers wrote two exploits on their own, public exploits for these specific vulnerabilities do not exist. Apple was notified on July 17, 2007, and has yet to respond.

'One of the exploits requires the Safari browser to surf to a maliciously coded Web site. Once there, personal data, SMS text files, contact information, call history, passwords, e-mail, browser history, and voice mail information could be obtained by a remote attacker.

A second exploit developed by the researchers caused the iPhone to make a system sound and vibrate for a second after visiting a maliciously coded Web site. The same exploit could also dial a phone number, send a text message, or turn on the microphone to eavesdrop remotely on conversations within the room.

About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    HOT ON CNET

    Love heavy and clunky tablets?

    Said no one ever. CNET brings you the lightest and thinnest tablets on the market.