Researchers at Independent Security Evaluators have announced at least two exploits that take advantage of the way the Apple iPhone opens a specially crafted Web page in Safari. Exact details of the vulnerability exploited will have to wait until a presentation at the end of next week's Black Hat conference in Las Vegas. However, some general information has been offered here.
In a preliminary draft of the Black Hat presentation, ISE researchers Charlie Miller, Jake Honoroff, and Joshua Mason note that there are "serious problems with the design and implementation of security on the iPhone," and they single out the fact that most processes run with administrative privileges. Also the custom operating system within the iPhone does not use address randomization or non-executable heaps, making it easy for someone to create an exploit once a vulnerability is found. The researchers said they found such a vulnerability within the Safari browser through fuzzing. Although the researchers wrote two exploits on their own, public exploits for these specific vulnerabilities do not exist. Apple was notified on July 17, 2007, and has yet to respond.
'One of the exploits requires the Safari browser to surf to a maliciously coded Web site. Once there, personal data, SMS text files, contact information, call history, passwords, e-mail, browser history, and voice mail information could be obtained by a remote attacker.
A second exploit developed by the researchers caused the iPhone to make a system sound and vibrate for a second after visiting a maliciously coded Web site. The same exploit could also dial a phone number, send a text message, or turn on the microphone to eavesdrop remotely on conversations within the room.