• On The Insider: Bruno Film Edited Due to Jackson's Death
March 18, 2008 10:14 AM PDT

Web code locks up iPhones and iPod Touch

by Robert Vamosi

A new exploit will either lock up your iPhone or iPod Touch or crash your Safari browser on your PC or Mac OS desktop if you simply visit a maliciously coded Web site. Unlike an earlier exploit that required users to click to become infected, the new code published by iPhoneWorld requires no user interaction.

So far, Apple has had no comment.

The code was first reported in January and exhausts the memory in Safari, which in turn will cause your iPhone or iPod Touch to freeze, or your desktop Safari to crash. "Given the nature of this issue," said the BugTraq newsgroup vulnerability report, "remote code execution may also be possible, but this has not been confirmed."

There is no patch available from Apple. The recommended workaround is to disable Javascript within Safari. To do so:

    1. Under Edit, click Preferences.
    2. Click the Security icon.
    3. Uncheck Enable JavaScript.
    4. Close and restart Safari.
Originally posted at Defense in Depth
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Phones,

Security,

Music

Tags:

security,

Apple,

Iphone,

Ipod Touch,

Safari,

memory exhaustion,

DoS,

crash,

iPhoneWorld

Share:
Digg
Del.icio.us
Reddit
Recent posts from Crave
Apple iTunes App Store turns one
Top 5 iPhone guitar tools
Amazon hooks up wireless store
The Real Deal 169: Travel tech tips
On the road with Autonet in-car Wi-Fi
Grazing robot would run on biomass
Concept Android phone features OLED buttons
2010 Jaguar XJ launched
Add a Comment (Log in or register) (16 Comments)
  • prev
  • 1
  • next
Interesting but....
by mreiher March 18, 2008 10:25 AM PDT
Since January huh? Must not be too bad... I have yet to have any
trouble with Safari or my iPhone... both are used daily and often.
But then again, I don't visit the kind of sites that might bring on
this sort of attack either. Maybe this report is a little overstated?
Reply to this comment
Quite agree
by ejevo March 18, 2008 10:57 AM PDT
As we all know, all things Apple are impervious to any threats and are implicitly safe. This just needless interrupts us from worshiping all that Steve Jobs bestows upon us. The author should know better.
Exception to that is
by Thomas, David March 18, 2008 11:52 AM PDT
When someone hacks a site to place the code on it. Given most
the sites I visit are not prone to those types of attacks, but that
does not prevent a link to site that has been hacked.

Due caution is advised, but not critical. To restart your iPhone,
simply hold down the home button, and the sleep button (at top) at
the same time.
Which version(s) of Safari?
by henebry March 18, 2008 11:00 AM PDT
Apple just released version 3.1 of Safari for Macs and PCs. Does the
exploit work with the new release?

Does it work on the older 2.x Safari as well? What about 1.x?
Reply to this comment
Probably All versions
by Thomas, David March 18, 2008 12:01 PM PDT
This affects the Javascript run-time, in the browser. The
javascript code is designed to eat up memory.
View reply
versions
by docstens March 22, 2008 7:39 AM PDT
The article specifically states that it doesn't work with Safari 3.1.
However, Safari on the iPhone and iPod Touch hasn't been
upgraded as yet.
3.1 is safe
by gianpo March 22, 2008 4:30 PM PDT
No the exploit does not work on 3.1
I love it !!!
by AppleSuxLeo March 18, 2008 7:30 PM PDT
now that Apple has a product that is a big target , we get to see just how INSECURE OSX really is.
It will be fun seeing how Apple and it`s fanboys try and spin all the attacks that are just starting , and there will be many more to come.
Reply to this comment
Get a clue
by zealant March 19, 2008 4:47 AM PDT
Actually, no, the insecurity of a very watered-down version of OS X says absolutely nothing about OS X itself. Besides, this is a very primitive, low-level attack, so it doesn't say much in the big picture. Javascript is a security risk no matter where you're using it anyway, which is why it's a good idea to disable it except on sites that really need it. Hooray for Firefox's NoScript addon.
Yessireebob
by Drpixelphd2 March 19, 2008 6:58 AM PDT
Applesuxleo - I can't wait! Let's have a party. I am in Florida.
Neanderthals Thrive
by McAdams March 19, 2008 9:50 AM PDT
Your comment disparaging Apple proves that neanderthals are still
wandering the earth. I still wonder why people like yourself look to
the negative side of life, instead of celebrating the good in people
and companies. What a tragedy.
LOCK UP STORY
by flyboy15 March 18, 2008 10:07 PM PDT
yes i think this is what happend to me yesterday, the iphone started working slowly, when i was checking the stocks, after that it froze when i checked the wheather, and after that none of the buttons would work, so i turned off and turned it back on. the next was that it told me to connect it to itunes. when i did it told me it had a error and i need to take it to apple store....
Reply to this comment
FIXED in Safari 3.1
by whosawhatsit March 19, 2008 5:23 AM PDT
Gotta love Apple for being prompt!
Reply to this comment
funny how I'm typing this on an archos 605.
by emoslayer6224 March 22, 2008 8:39 AM PDT
that's why I'm using this. Fame means threats.
Reply to this comment
Fantastic, but no mention for ipod touch or iphone
by thesplintercell March 22, 2008 7:09 PM PDT
?? i think your column is missing something...
mentioned ipod touch and iphone, but your only focus was with the computer-versions of safari...
Reply to this comment
(16 Comments)
  • prev
  • 1
  • next
advertisement

About Crave

The name says it all. Crave is our blog about gorgeous gadgets and other crushworthy stuff. If you would like to contact Crave with a tip or comment, please write to: crave@cnet.com

Add this feed to your online news reader

Crave topics

With Chrome, Google reignites the OS wars

roundup Google Chrome OS, due in 2010, underscores the Web giant's cloud-computing ambitions and opens new competition with Microsoft.
• What Chrome OS has on Windows that Linux doesn't

Laying a guilt trip on military robots

q&a Georgia Tech's Ronald Arkin aims to configure armed robots with a built-in "guilt system" to help them avoid civilian casualties.

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET