DOS Flaw Identified in Apple’s iPhone

Blog writer at McAfee Avert Labs, Jimmy Shah, discovered vulnerability in the Safari browser of iPhone on February 20, 2008. The exploit could be used to establish a jailbreak for version 1.1.3 of firmware, as reported by iPhonematters on February 20, 2008.

At the time researchers found the flaw, they were seeking a method to open file system on iPhones in latest firmware version 1.1.3. Unlocked file systems permit to install third-party programs and tailored ringtones. With the latest firmware edition, anyone can unlock his iPhone by accessing a certain website, using the Safari browser.

Anyone can exploit the Denial-of-Service (DOS) vulnerability by viewing the page, containing the proof-of-concept code, and then pressing a key that will present an alert and the code will start running. The iPhone will then become unresponsive before restarting quickly.

The DoS exploit partly contains a JavaScript code found in the MOBB (Month of Browser Bugs). During that month, a team of security experts published an exploit to help web browser bug every day. While the first exploit was aimed at browsers who use desktops, the updated version tries to overload memory and cause the iPhone to crash.

The exploit does not allow the user to use his iPhone and suspend the functions of iPhone. But it neither steals the user's data nor cause permanent damage to the iPhone. However, for the proof-of-concept to work, the user must interact by pressing the "Go" key. But in that process, a malicious Website can execute the code even without acquiring consent.

As per the researchers at McAffee, the exploit code can also help in other malicious activities. But if the JavaScript in the iPhone's Safari setting is disabled, these could be prevented. Basically, the disabled JavaScript makes the exploit unworkable as the code no longer runs automatically. However, it is not far when an even simpler jailbreak tactic will be published for 1.1.3.

In related news, security and engineering response team at Arbor has predicted that Apple's iPhone would become victim of a series of drive-by attacks in 2008. Some of these attacks apparently innocuous media embedded in malware will behave dangerously when viewed on this iPhone's Safari browser.

Related article: Dixie College Suffers Data Hack

» SPAMfighter News - 26-02-2008

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next