LAS VEGAS—Just hours before security researcher Charlie Miller was set to disclose the iPhone’s first security holes at Black Hat here on Aug. 1—regardless of whether Apple had patched the hole or not—Apple issued a monster update that snapped the holes shut.
Apple issued patches for around 50 security vulnerabilities affecting its Safari browser, the iPhone and its Mac OS X operating system.
Miller, along with his Independent Security Evaluators colleagues Jake Honoroff and Joshua Mason, during the week of July 23 ran the first remote exploits on the iPhone, proving that the widely popular smart phone is vulnerable not only to data theft but also to being turned into a remote snooping device.
The trio created an exploit for the iPhone’s Safari Web browser wherein they used an unmodified device to surf to a maliciously crafted drive-by download site. The site downloads exploit code that forces the iPhone to make an outbound connection to a server controlled by the security firm.
They demonstrated that a compromised device could then be forced to send out personal data, including SMS text messages, contact information, call history, voice mail information, passwords, e-mail messages and browsing history.
The researchers also wrote a second exploit to turn an iPhone into a bugging device to record audio that it then transmitted for later collection by what would be a malicious party if the exploit were performed by a black hat. This exploit entailed viewing another maliciously crafted site whose payload forced the phone to make a system sound and vibrate for a second. The researchers discovered they also could force the phone into other physical actions, including dialing phone numbers or sending text messages.
At the time, Miller told eWEEK in an interview that the iPhone fell surprisingly fast, taking only two to three days before faltering to the point that the security researchers knew they had a viable weak point.
Miller withheld details of the vulnerabilities, giving Apple a window of time—albeit a narrow one—to fix its phone before the hacking community got their hands on the information.
Apple said in a security notice that a problem with page updating combined with HTTP redirection could allow JavaScript from one page to modify a redirected page, thus allowing cookies and pages to be read or arbitrarily changed.
Credit for that one went not to Miller and his colleagues, but to Lawrence Lai, Stan Switzer and Ed Rowe of Adobe Systems for reporting the issue sooner.
Other problems addressed in the security update include a heap buffer overflow in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. Miller and Honoroff get the credit for that one.
The iPhone update is only available through iTunes and won’t appear in a system’s Software Update application or at the Apple Downloads site. A Safari 3 Beta Update 3.0.3 is available via the Apple Software Update application or Apple’s Safari download site.
