• On TechRepublic: Five super-secret features in Windows 7
advertisementGet Smart about Business Spending
March 18, 2008 10:14 AM PDT

Web code locks up iPhones and iPod Touch

by Robert Vamosi

A new exploit will either lock up your iPhone or iPod Touch or crash your Safari browser on your PC or Mac OS desktop if you simply visit a maliciously coded Web site. Unlike an earlier exploit that required users to click to become infected, the new code published by iPhoneWorld requires no user interaction.

So far, Apple has had no comment.

The code was first reported in January and exhausts the memory in Safari, which in turn will cause your iPhone or iPod Touch to freeze, or your desktop Safari to crash. "Given the nature of this issue," said the BugTraq newsgroup vulnerability report, "remote code execution may also be possible, but this has not been confirmed."

There is no patch available from Apple. The recommended workaround is to disable Javascript within Safari. To do so:

    1. Under Edit, click Preferences.
    2. Click the Security icon.
    3. Uncheck Enable JavaScript.
    4. Close and restart Safari.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

Apple,

Iphone,

Ipod Touch,

Safari,

memory exhaustion,

DoS,

crash,

iPhoneWorld

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
New iPhone 3GS bootrom jailbreakable, with caveats
Vocalia for iPhone lets you speak your bookmarks
iPhone Dev-Team releases PwanageTool 3.1.4
Report: Apple developing radio app for iPhone
iTunes Basics: Sync your Google contacts with your iPhone or iPod touch address book
Blackra1n RC3 unlocks iPhone 3GS
Workaround for iPhone eating draft e-mail
Track your tweets with iPhone app Tweetie
Add a Comment (Log in or register) (16 Comments)
  • prev
  • 1
  • next
Interesting but....
by mreiher March 18, 2008 10:25 AM PDT
Since January huh? Must not be too bad... I have yet to have any
trouble with Safari or my iPhone... both are used daily and often.
But then again, I don't visit the kind of sites that might bring on
this sort of attack either. Maybe this report is a little overstated?
Reply to this comment
Quite agree
by ejevo March 18, 2008 10:57 AM PDT
As we all know, all things Apple are impervious to any threats and are implicitly safe. This just needless interrupts us from worshiping all that Steve Jobs bestows upon us. The author should know better.
Exception to that is
by Thomas, David March 18, 2008 11:52 AM PDT
When someone hacks a site to place the code on it. Given most
the sites I visit are not prone to those types of attacks, but that
does not prevent a link to site that has been hacked.

Due caution is advised, but not critical. To restart your iPhone,
simply hold down the home button, and the sleep button (at top) at
the same time.
Which version(s) of Safari?
by henebry March 18, 2008 11:00 AM PDT
Apple just released version 3.1 of Safari for Macs and PCs. Does the
exploit work with the new release?

Does it work on the older 2.x Safari as well? What about 1.x?
Reply to this comment
Probably All versions
by Thomas, David March 18, 2008 12:01 PM PDT
This affects the Javascript run-time, in the browser. The
javascript code is designed to eat up memory.
View reply
versions
by docstens March 22, 2008 7:39 AM PDT
The article specifically states that it doesn't work with Safari 3.1.
However, Safari on the iPhone and iPod Touch hasn't been
upgraded as yet.
3.1 is safe
by gianpo March 22, 2008 4:30 PM PDT
No the exploit does not work on 3.1
I love it !!!
by AppleSuxLeo March 18, 2008 7:30 PM PDT
now that Apple has a product that is a big target , we get to see just how INSECURE OSX really is.
It will be fun seeing how Apple and it`s fanboys try and spin all the attacks that are just starting , and there will be many more to come.
Reply to this comment
Get a clue
by zealant March 19, 2008 4:47 AM PDT
Actually, no, the insecurity of a very watered-down version of OS X says absolutely nothing about OS X itself. Besides, this is a very primitive, low-level attack, so it doesn't say much in the big picture. Javascript is a security risk no matter where you're using it anyway, which is why it's a good idea to disable it except on sites that really need it. Hooray for Firefox's NoScript addon.
Yessireebob
by Drpixelphd2 March 19, 2008 6:58 AM PDT
Applesuxleo - I can't wait! Let's have a party. I am in Florida.
Neanderthals Thrive
by McAdams March 19, 2008 9:50 AM PDT
Your comment disparaging Apple proves that neanderthals are still
wandering the earth. I still wonder why people like yourself look to
the negative side of life, instead of celebrating the good in people
and companies. What a tragedy.
LOCK UP STORY
by flyboy15 March 18, 2008 10:07 PM PDT
yes i think this is what happend to me yesterday, the iphone started working slowly, when i was checking the stocks, after that it froze when i checked the wheather, and after that none of the buttons would work, so i turned off and turned it back on. the next was that it told me to connect it to itunes. when i did it told me it had a error and i need to take it to apple store....
Reply to this comment
FIXED in Safari 3.1
by whosawhatsit March 19, 2008 5:23 AM PDT
Gotta love Apple for being prompt!
Reply to this comment
funny how I'm typing this on an archos 605.
by emoslayer6224 March 22, 2008 8:39 AM PDT
that's why I'm using this. Fame means threats.
Reply to this comment
Fantastic, but no mention for ipod touch or iphone
by thesplintercell March 22, 2008 7:09 PM PDT
?? i think your column is missing something...
mentioned ipod touch and iphone, but your only focus was with the computer-versions of safari...
Reply to this comment
(16 Comments)
  • prev
  • 1
  • next
advertisement

After 5 years, Firefox faces new challenges

Mozilla helped reshape the Web since releasing Firefox 1.0 five years ago. Now it's got a reawakened Microsoft and Google Chrome to reckon with.

There's a map for that: GPS or smartphone?

Almost every handset comes with mapping software these days, but standalone GPS devices are becoming more affordable than ever.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET