iPhone vulnerability announced
Researchers at Independent Security Evaluators have announced at least two exploits that take advantage of the way the Apple iPhone opens a specially crafted Web page in Safari. Exact details of the vulnerability exploited will have to wait until a presentation at the end of next week's Black Hat conference in Las Vegas. However, some general information has been offered here.
In a preliminary draft of the Black Hat presentation, ISE researchers Charlie Miller, Jake Honoroff, and Joshua Mason note that there are "serious problems with the design and implementation of security on the iPhone," and they single out the fact that most processes run with administrative privileges. Also the custom operating system within the iPhone does not use address randomization or non-executable heaps, making it easy for someone to create an exploit once a vulnerability is found. The researchers said they found such a vulnerability within the Safari browser through fuzzing. Although the researchers wrote two exploits on their own, public exploits for these specific vulnerabilities do not exist. Apple was notified on July 17, 2007, and has yet to respond.
'One of the exploits requires the Safari browser to surf to a maliciously coded Web site. Once there, personal data, SMS text files, contact information, call history, passwords, e-mail, browser history, and voice mail information could be obtained by a remote attacker.
A second exploit developed by the researchers caused the iPhone to make a system sound and vibrate for a second after visiting a maliciously coded Web site. The same exploit could also dial a phone number, send a text message, or turn on the microphone to eavesdrop remotely on conversations within the room.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments. 
never tried to control or force them to do stuff. ???????
Microsoft is caught by the government, tried, found guilty and
no one even cares. But if Apple hardware - software is not
perfect people get all google eyed. Unless this is paid for from
redmond( ?? possible??,) I just do not understand it.
PS, actually the phone is fine, its a browser issue and should be
able to be cleared up with a software upgrade. Unlike many
phones out there today where the software is locked it, the
iPhone can be undated every time you sync it into its dock. Neat
feature. :-)
that Macs are "bullet-proof"... Where has Apple or any respecting
company or institution said Macs are "bullet-proof"? I have heard
they are less prone to and have far fewer viruses and Spyware than
Windows OS in the wild. I believe as of today there are currently
NONE in the wild that exploit the Mac. Yes I said none. Can this be
said for Windows or Linux? NOPE! YES, there are proof of concepts
but none in the wild that exploit the every day Mac user. Please
note that patches have been applied for everyone so all of them
have been squashed within a few weeks. Well, EXcept the new one
shown here for the very new iPhone. I am sure Apple will have a fix
for this in few weeks if not sooner as there turnaround fixes are
very fast!... NO OS is Bullet_proof as only a fool would claim this.
But No one can deny that Macs are far safer than any Windows
based device from the ground up, BUt no they are not perfect. I
would pick any Mac product over a Windows based product for
peace-of-mind any Day!!... Give me a sound reason not to. I think
the company who discovered the exploit would agree with me, See
below.
"The principal security analyst admits "It's not the end of the world;
it's not the end of the iPhone" and it appears it hasn't changed their
enjoyment of the iPhone itself. Even the security firm's founder
states that while he may more cautious about using a random
public WiFi network, "you'd have to pry it out of my cold, dead
hands to get [the iPhone] away from me." "
I think this is a a very small thing! SO get past the exaggerating to
support your personal bias... Overall, Macs are much more secure
than anything out there but NO they are not perfect and never will
be! Any won who claims this is truly ignorant.
Back to the Apple iPhone security vulnerabilities ... this does not surprise me. Remember with Bluetooth v1 came out with similar issues?
Mac users don't have anything valuable on their computers. That's all it is. If a hacker wanted access to valuable spread documents or private company data, a mac would be the last place they'd want to look. As a matter of fact, I don't know anyone who owns a mac and actually keeps any valuable data on it. Also, being that Mac's market share is only 16%, much fewer people exist with extensive knowledge of OS X's insides. To be honest, most Mac users are artists and producers. But in general, users in the entertainment field. An extremely small amount of Mac users actually know enough to exploit the OS. As opposed to Windows, which draws a great deal of gamers and techies. These people have a very good understanding of what makes Windows tick. You also pointed out that Mac has patched its bugs. As opposed to letting them fester? You surely aren't suggesting that Microsoft and Linux, especially Linux's Open Source Community, don't patch their problems, are you?
Now, I know I said that you weren't as security conscious as Windows users in the beginning, and I hope you didn't take offense to that. It's true, however, that Mac users don't care about security. Windows has an unproportionally large market share in business. The only time you will see a Mac used for business is edit video or audio for a producer (or burn CDs/DVDs to sell at the corner). No programmer in their right mind would spend countless hours trying to gain access to Rhianna's next album or some hipster's essay about "The Angst of Middle-class Teens."
OS X has had plenty of vulnerabilities and plenty more are yet to be uncovered; you just aren't as security conscious as Microsoft users. Being a user of both, mainly Windows however, I can see why people might think OS X is more secure.
Mac users don't have anything valuable on their computers. That's all it is. If a hacker wanted access to valuable spread sheets or documents or private company data, a Mac would be the last place they'd want to look. As a matter of fact, I don't know anyone who owns a Mac that actually keeps any valuable data on it. Also, being that Mac's market share is only 16%, much fewer people exist with extensive knowledge of OS X's insides. Furthermore, most Mac users are artists, producers, and in general, people with a focus on entertainment. An extremely small amount of Mac users actually know enough to exploit the OS. As opposed to Windows, which draws a great deal of gamers and techies. These people have a very good understanding of what makes Windows tick. You also pointed out that Mac has patched its bugs. As opposed to letting them fester? You surely aren't suggesting that Microsoft and Linux, especially Linux's Open Source Community, don't patch their problems, are you?
Now, I know I said that you weren't as security conscious as Windows users in the beginning, and I hope you didn't take offense to that. It's true, however, that Mac users care less about security. Windows has an unproportionally large market share in the business world. The only time you will see a Mac used for business is when a producer edits video or audio (or a poor college student burns CDs/DVDs to sell at the corner). No programmer in their right mind would spend countless hours trying to gain access to Rhianna's next album or some hipster's essay about "The Angst of Middle-class Teens."
Oh, and here's a graph showing how secure OS X is. http://blogs.csoonline.com/files/6mo-reduced-high.PNG
P.S. Vista sucks. XP Pro x64 is the best OS out right now.
P.P.S. You know that the iPhone's OS got completely hacked, right? http://www.engadget.com/2007/07/06/iphone-hacked-for-shell-access/
In case you don't know (and I'm sure you don't), shell access is everything. Shell access means control of the command prompt, with which you can do anything. Literally. Mac and Windows have the same shell, except the respective companies implement Graphic User Interfaces to make use easier. However, what really runs every process, starts every application, even boots your computer, is the comand prompt. Oddly enough, Windows Mobile, whose variants have been available since 2003, has yet to be exploited. Interesting tidbit, huh?
because it has happened a few times. or could that be unrelated??
that it was just an error or something like that until I read this
article.
- ISE - are nerds looking to make their bones
- by harringnail July 24, 2007 4:21 PM PDT
- What a joke, ISE is probably sponsered by Verizon, MSFT, RIMM, and Nokia. Even if they are an independent think tank then they are in need of some serious vacation time. Who doesn't try and hack a new type of technology or device once it has come out. It took them a month to develop a hacking device that will do this, who else is capable? also, how difficult is it, what type of equipment is needed, and when and how are they going to hack you? I can just picture it, while your in a coffee shop surfing on Lindseys latest arrest or checking on movie times, your browser goes down, what no response, reboot? Seriously who keeps credit card info in their phone anyway, hackers can easily get a hold of my info from credit card services. I don't care I love my iphone...
- Like this Reply to this comment
-
(10 Comments)