Finding vulnerabilities for popular products is one of the best ways for a previously unknown application security company or a hacking group to get themselves known in the industry. The more popular the product, the bigger the potential reward for the group that discovered the first vulnerability.
It is therefore no surprise that iPhone, running a scaled down version of Mac OS X, became one of the primary targets of security researchers as soon as it hit the shops in the US on 28th of June.
Today, a company called Independent Security Evaluators disclosed preliminary details of an iPhone vulnerability which will be fully disclosed at the Black Hat conference in Vegas next week.
Although the full details of the vulnerability and the exploit are not published the concept seems plausible. It seems that the group has managed to find a vulnerability in MobileSafari, the web browser used by iPhone. Since websites are one of the most common sources of malware it is not surprising that the iPhone attack is making use of the web.
As with other browser attacks the user has to visit a malicious web page using a vulnerable browser. Once the malicious page is visited the code on the page exploits a vulnerability and starts a piece of executable code (shellcode) in the background.
The theory is that once the shellcode is running in iPhone's memory, the phone is compromised and the attacker can access all the details available to the user. iPhone, like many other PDA-type devices has a simplified single-user security model with all processes having unrestricted access rights. This unfortunately means that any exploited process will also have full access to the user data and the functionality of the iPhone. Unfortunately, Apple has closed iPhone for third party applications, which means that they will have to release a patch as soon as possible since they will not be able to rely on other security vendors for protection.
One thing that bothers me with this disclosure is its timing. Although ISE claim that they have notified Apple about this problem they have chosen to disclose the details before allowing Apple enough time to release a patch. This seems rather irresponsible from a group that considers themselves serious security researchers. Next week when ISE will be releasing the full details of the vulnerability I will also be at the Black Hat conference and I hope to be able to find out more and discuss their somewhat questionable disclosure policy.