Critical vulnerability in Safari iPhone browser
Security vulnerabilities in the iPhone version of Safari seem to be becoming a bigger problem as increasing numbers of ways of exploiting them are discovered. In addition, further bugs facilitating attacks on the iPhone browser have been found. Specialists from Errata Security first reported a hole in Safari in early June that enables an attacker to obtain a "degree of control" over the iPhone - including the ability to call premium rate phone numbers. Shortly afterwards, in mid June, SPI Dynamics declared that they had discovered a similar bug which could be exploited to call premium rate phone numbers without user intervention. This vulnerability could also apparently be used to block the device, so that it was no longer possible to dial numbers.
Now it's the turn of Security Evaluators, who claim to have uncovered a bug in Safari that can be used to execute code on an iPhone with "administrator privileges". According to the description, this is a different vulnerability from that found by Errata and SPI, as in this case no user interaction is required. Visiting a crafted web page is apparently sufficient to trigger the exploit. The earlier bugs required users to click on a telephone number on a web page. Security Evaluators intend to publish details of the new vulnerability at the BlackHat conference in Las Vegas on 2nd August.
To tempt iPhone users onto crafted websites, Security Evaluators make use of an unfortunate peculiarity of the iPhone - it notes the SSID of a WLAN access point and automatically connects as soon as an access point with this SSID is detected nearby. This makes the iPhone easy prey to a rogue access point, allowing every HTTP request to be answered with a page controlled by the attacker, and thereby opening the door to infection the iPhone with malware. However, this only appears to work with unencrypted access point connections - as otherwise the iPhone cannot know the required password. On top of this, iPhone users can also be drawn onto crafted web pages via links in e-mails.
The exploit from Security Evaluators sends the SMS log, address book, numbers dialled and other data to the attacker. As with the other bugs, Apple has apparently been informed. As a workaround, the group suggests visiting trusted sites only. However, they themselves admit the limitations of this suggestion in their security advisory. iPhone infecting malicious code can, for example, lurk in incorrectly configured forums. In addition, users should not click on links in e-mails and should only connect to known WLAN access points. It is not, however, explained how to train an iPhone to do this.