iPhone Exploits Revealed
LAS VEGAS -- Two methods that could allow criminals to break into and steal data from Apple's iPhone were demonstrated Thursday here at the Black Hat hacker conference.
Charlie Miller, a researcher with Independent Security Evaluators, had warned Apple more than two weeks ago that he would present his findings at the annual security conference. In an unusually quick turnaround, Apple responded Tuesday with updates to plug both security holes.
In his talk, however, Miller emphasized that there appears to be an abundance of other ways to compromise the iPhone, due to the fact that the iPhone's Safari Web browser was designed in part with the help of open source computer code that contains well-documented security flaws discovered more than a year ago.
While that still-vulnerable component can be fixed, Miller said there are fundamental design flaws with the iPhone that could well lead to further trouble for Apple in the months ahead.
For example, one of the key elements of securing computer code involves a process known as "randomization." In executing attacks against software, virus writers typically seek to exploit software vulnerabilities that then write the malicious code to very specific portions of a computer's memory. By randomizing or dynamically shifting memory address spaces each time the system boots up, software makers can significantly hamper the ability of viruses and worms to successfully hit their intended target. (Address space randomization was touted as one of the key security defense mechanisms that Microsoft built into Windows Vista.)
But Miller said the iPhone does not employ such techniques, which he said potentially provides hackers with a predictable and reliable roadmap to compromising the device.
While Miller's exploits were designed to run on the iPhone, the same vulnerabilities are present in unpatched Safari for Mac OS X systems and the beta version of Safari for Windows (these also were patched in the massive security update shipped by Apple earlier this week.)
Miller said he plans to publish the details of his research on his Web site later today.
August 3, 2007; 1:39 PM ET
Categories: Latest Warnings , New Patches , Safety Tips
Save & Share: Previous: New Tool Automates Webmail Account Hijacks
Next: Letter From Hackerdom: Not the Same Old DEF CON, Black Hat
Posted by: David | August 3, 2007 2:25 PM | Report abuse
Posted by: Phil | August 3, 2007 4:08 PM | Report abuse
Posted by: M | August 3, 2007 4:16 PM | Report abuse
Posted by: Tom | August 3, 2007 5:16 PM | Report abuse
Posted by: Dan | August 3, 2007 6:00 PM | Report abuse
Posted by: Brendon | August 3, 2007 9:45 PM | Report abuse
Posted by: Podesta | August 4, 2007 7:09 AM | Report abuse
Posted by: cbum | August 4, 2007 7:43 AM | Report abuse
Posted by: mhenriday | August 4, 2007 12:49 PM | Report abuse
Posted by: antibozo | August 4, 2007 2:08 PM | Report abuse
Posted by: Brendon | August 4, 2007 2:37 PM | Report abuse
Posted by: Brendon | August 4, 2007 2:41 PM | Report abuse
Posted by: Bean | August 4, 2007 5:04 PM | Report abuse
The comments to this entry are closed.