• On CHOW: Girls who hate girly drinks
March 18, 2008 10:14 AM PDT

Web code locks up iPhones and iPod Touch

by Robert Vamosi
  • Font size
  • Print
  • 16 comments

A new exploit will either lock up your iPhone or iPod Touch or crash your Safari browser on your PC or Mac OS desktop if you simply visit a maliciously coded Web site. Unlike an earlier exploit that required users to click to become infected, the new code published by iPhoneWorld requires no user interaction.

So far, Apple has had no comment.

The code was first reported in January and exhausts the memory in Safari, which in turn will cause your iPhone or iPod Touch to freeze, or your desktop Safari to crash. "Given the nature of this issue," said the BugTraq newsgroup vulnerability report, "remote code execution may also be possible, but this has not been confirmed."

There is no patch available from Apple. The recommended workaround is to disable Javascript within Safari. To do so:

    1. Under Edit, click Preferences.
    2. Click the Security icon.
    3. Uncheck Enable JavaScript.
    4. Close and restart Safari.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

Apple,

Iphone,

Ipod Touch,

Safari,

memory exhaustion,

DoS,

crash,

iPhoneWorld

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Apple patch plugs iPhone, iPod Touch holes
Final Fantasy and FF II coming to iPhone
What, no iPhone news?
Troubleshooting Apple's MobileMe Gallery app
Debating the merits of Apple's iPad
Apple's iPad: What you need to know
Apple iBooks e-reader: First Take
Editor's Take: Apple iPad
Add a Comment (Log in or register) (16 Comments)
  • prev
  • next
Interesting but....
by mreiher March 18, 2008 10:25 AM PDT
Since January huh? Must not be too bad... I have yet to have any <br />trouble with Safari or my iPhone... both are used daily and often. <br />But then again, I don't visit the kind of sites that might bring on <br />this sort of attack either. Maybe this report is a little overstated?
Reply to this comment
Quite agree
by ejevo March 18, 2008 10:57 AM PDT
As we all know, all things Apple are impervious to any threats and are implicitly safe. This just needless interrupts us from worshiping all that Steve Jobs bestows upon us. The author should know better.
Exception to that is
by Thomas, David March 18, 2008 11:52 AM PDT
When someone hacks a site to place the code on it. Given most <br />the sites I visit are not prone to those types of attacks, but that <br />does not prevent a link to site that has been hacked.<br /><br />Due caution is advised, but not critical. To restart your iPhone, <br />simply hold down the home button, and the sleep button (at top) at <br />the same time.
Which version(s) of Safari?
by henebry March 18, 2008 11:00 AM PDT
Apple just released version 3.1 of Safari for Macs and PCs. Does the <br />exploit work with the new release? <br /><br />Does it work on the older 2.x Safari as well? What about 1.x?
Reply to this comment
Probably All versions
by Thomas, David March 18, 2008 12:01 PM PDT
This affects the Javascript run-time, in the browser. The <br />javascript code is designed to eat up memory.
View reply
versions
by docstens March 22, 2008 7:39 AM PDT
The article specifically states that it doesn't work with Safari 3.1. <br />However, Safari on the iPhone and iPod Touch hasn't been <br />upgraded as yet.
3.1 is safe
by gianpo March 22, 2008 4:30 PM PDT
No the exploit does not work on 3.1
I love it !!!
by AppleSuxLeo March 18, 2008 7:30 PM PDT
now that Apple has a product that is a big target , we get to see just how INSECURE OSX really is.<br />It will be fun seeing how Apple and it`s fanboys try and spin all the attacks that are just starting , and there will be many more to come.
Reply to this comment
Get a clue
by zealant March 19, 2008 4:47 AM PDT
Actually, no, the insecurity of a very watered-down version of OS X says absolutely nothing about OS X itself. Besides, this is a very primitive, low-level attack, so it doesn't say much in the big picture. Javascript is a security risk no matter where you're using it anyway, which is why it's a good idea to disable it except on sites that really need it. Hooray for Firefox's NoScript addon.
Yessireebob
by Drpixelphd2 March 19, 2008 6:58 AM PDT
Applesuxleo - I can't wait! Let's have a party. I am in Florida.
Neanderthals Thrive
by McAdams March 19, 2008 9:50 AM PDT
Your comment disparaging Apple proves that neanderthals are still <br />wandering the earth. I still wonder why people like yourself look to <br />the negative side of life, instead of celebrating the good in people <br />and companies. What a tragedy.
LOCK UP STORY
by flyboy15 March 18, 2008 10:07 PM PDT
yes i think this is what happend to me yesterday, the iphone started working slowly, when i was checking the stocks, after that it froze when i checked the wheather, and after that none of the buttons would work, so i turned off and turned it back on. the next was that it told me to connect it to itunes. when i did it told me it had a error and i need to take it to apple store....
Reply to this comment
FIXED in Safari 3.1
by whosawhatsit March 19, 2008 5:23 AM PDT
Gotta love Apple for being prompt!
Reply to this comment
funny how I'm typing this on an archos 605.
by emoslayer6224 March 22, 2008 8:39 AM PDT
that's why I'm using this. Fame means threats.
Reply to this comment
Fantastic, but no mention for ipod touch or iphone
by thesplintercell March 22, 2008 7:09 PM PDT
?? i think your column is missing something...<br />mentioned ipod touch and iphone, but your only focus was with the computer-versions of safari...
Reply to this comment
(16 Comments)
  • prev
  • next
advertisement

Google's social side aims for some Buzz

Facebook and Twitter are the darlings of the social-media world, not Google--which hopes to change that with Buzz, betting it can organize your online social life.

Watching the birth of a gaming start-up

Stewart Butterfield and his friends are back at it with a new company. CNET's Daniel Terdiman was given exclusive, behind-the-scenes access as they built it from scratch.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET