Safari exploit gives hackers full control over iPhones and possibly PCs and Macs
By Thomas Ricker 
posted Jul 23rd 2007 3:05AM
posted Jul 23rd 2007 3:05AM
Oops, researchers just unveiled a pretty serious security vulnerability in the iPhone. More specifically, it's Apple's Safari web browser which exhibits the vulnerability. Researchers at Independent Security Evaluators have used the vulnerability to take malicious control of the iPhone from rogue websites loaded with the exploit. Once in, researchers have full administrative access over the phone allowing them to listen in on room audio or snatch the SMS log, address book, call history, email passwords and more -- we're talking full access to your phone. Researchers note that the only way to stay safe is to check those URLs and only visit sites that you trust (which isn't very reassuring) and "may or may not be exploitable" from Mac and PC versions of Safari -- the same vulnerability exists only they haven't written the proof-of-concept exploit to test it yet. Apple has been notified of the vulnerability and a proposed fix with full public disclosure coming at the BlackHat conference on August 2nd. You listening InfoSec Sellout? That's how you report a bug. Check the exploit in video form after the break. [Via MacRumors]
Amazing.
"Researchers note that the only way to stay safe is to check those URLs and only visit sites that you trust"
Actually the only way to stay safe is to stay away from that iTurd of a cell phone.
awww, you still with verizon?
Probably not. There are only 5 carriers that guy could be on (none of them available in America in their original forms) that would qualify him to call the iPhone an iTurd-SK Telecom, KTF, DoCoMo, Softbank, and au(KDDI).
aww, still butt hurt over the iPhone?
You just try searching "KDDI" over on Engadget Mobile and tell me with a straight face that you think I want the iPhone over any of those phones.
So if this is true, clearly the iPhone has been completely hacked. Now someone just needs to turn that exploit into a way to do some useful customization of the iPhone.
Uhm... who said anything about windows?
Inferiority complex?
Ha! I can't believe you actually posted this. I knew you fanboys would jump to Apple's defence. It may only be one exploit, but it's still important especially considering it can affect the iPhone. And as Gil said, no one even mentioned Windows, so keep your shirt on.
Oh dont even start the Windows/Mac exploit crap. Its a computer, all computers are suceptable to virii.
Especially computers that run OS's that believe in security through obscurity.
Name one virus that was widespread on the mac since 1984.
Oh wait you can.
Shut up now.
can't*
maybe because so few people use macs, Miles?
I don't mean to bash, it's just a fact.
miles: google for "Init 29 virus"
Ignorant fanboy.
Miles? autostart. That was 1998, which is manifestly after 1984. Just so we're clear, I'm all mac all the time, but I'm realistic. Part of the lack of viruses is because of market share, part of it is because the OS itself (Jesse S, can you please show us all where security through obscurity is an official Apple policy??) and part of it is because the windows world seems to remain a target rich environment.
@ miles
"Name one virus that was widespread on the mac since 1984."
May, 1998 - AutoSart worm , aka AutoStart9805
@saaaa
15 million is "few' to you?
Wish I had a penny for every mac user...
No, a big reason there were so many more Windows viruses is poor engineering. Deal with it, MIcrosoft's first concern is profit, always. They'll fix the bugs after they become a problem, rather than write decent code in the first place.
Yes DoucheCrew, few. As someone already stated, that's not much when comparing with the number of people who uses PCs. I believe that is mostly due to their pricing... I know I'd buy one (but I'd be using OSX as secondary), but I'm not going to spend that much money on looks. Especially when there are plenty of cheaper options and just as good.
Wow Miles, you're really making a name for yourself today.
WOW! WHAT A GREAT DEVICE! Let's see, no support for this, no support for that, shitty sound quality, exploits, etc.
BUT OMFG IT HAS A GRATE UI AN DESIGN!!!!1!!!!!1111!!!11
I'll happily wait for my i760 or vx6800 on the superior CDMA networks.
You fail.
OMFG, I just checked the specs on both phones you mentioned. Although I tried to stay away from the iPhone till version 2, I was able to play with some co-worker's iPhones. Now after having one for over 2 weeks, it's obvious you haven't even seen one in RL. Or you just aren't that interested in high quality movies (640 x 280 on a 3.5" screen) , music, (real) web browsing, multiple email accounts, satellite/google maps (with built in auto locaters for instant web connection or instant phone calling) , 2 megapixel camera, full address book (including photos), with one button push to both email or phone, One button iChat like SMS, calendar, weather reports, stock reports, YouTube and I can go on and on. And I have yet to get one complaint about the sound quality. Okay, edge technology isn't the greatest ATM but 99% of the time I find a WiFi hotspot and with over 1 million new subscribers, I'm sure AT&T now has some new cash flow to work this out. So good luck with your tiny screen and limitations Verizon puts on your options. I love my new iPhone. Cheers!
"Superior CDMA networks" eh? You sir are an idiot. CDMA is backwards bullshit. GSM is truly the way to go, for the international traveller. Verizon only recently introduced a World Blackberry oh yeah, and what technology does it switch to when overseas? GSM! Qualcomm may come up with cool stuff but right now it needs to wrench its head out of its ass and drop this CDMA crap.
@Gary
Sorry, but PDAs have better web browsing than the iPhone
iPhone doens't have real browsing, even me, a fanboy, knows that.
Call me when I get flash and javascript (Like on my PSP)
I would be concerned if Apple was known to let such exploits go unfixed. With that in mind, i dont see this as too big of a deal as long as Apple resolves it with a software update. Not like they released the code of the exploit on the internet for any and everyone to use at their own will...
"Name one virus that was widespread on the mac since 1984."
I think macs would have to be widespread before you could consider a mac virus widespread
Elk Cloner was the first virus recorded and guess for what system? apple II ;)
Widespread among the Mac community is what he meant.
There have been plenty of viruses affect the Mac platform prior to OS X. These were much more rampant after the internet became common, but they still existed in the 1980s.
The "security through obscurity" argument holds no water as OS X has a much greater marketshare now than it ever had with System 7 (which had plenty of viruses) and OS X does not have 5% of the viruses. It is just FUD propaganda perpetuated by MS apologites.
Furthermore, if marketshare is the key, then MS' ISS should be airtight as it's not the most popular web server, but its not.
Why wouldn't somebody be compelled to write exploits for the Mac OS? Even though Apple has such a small market share, it's still millions of users, whose money and personal info is just as valuable as any Windows/Linux user's. Actually Mac user info is probably more valuable since research has shown that people who use Apple products have more disposable income. The whole security via obscurity theory is bullshit… Criminals really don't give a shit about what OS a potential victim is using, unless it is less secure. Which there are less secure OS's out there… Just out of curiosity, how many exploits are there for Windows mobile? No need to flame or bash me, I'm attempting to use logic and reason to make sense of some of the comments above
@ Dimebag
"Actually Mac user info is probably more valuable since research has shown that people who use Apple products have more disposable income."
I'm pretty sure that the mean income of the victims is irrelevant as most viruses/trojans are merely used to replicate and cause as much widespread damage to as many users as possible.
No, the 'small marketshare' argument is something that's both true and relevant. Macs have 5% marketshare. Windows has something like 90%. Unless your average mac user is 18 times wealthier than your average windows user, then you're better off targeting windows users. to quote terry pratchett, there are a lot more poor people than rich people, and it's easier to get money out of em.
The main points here are it is just a video, edited at that. Not one that shows the two sides of the exploit side by side so it could be made up. Most likely not but could be.
Secondly, the iPhone is software update friendly so this and any exploits can be fixed very easily and will be soon.
Third, If it has a computer it can be exploited! Coke Machines, Slot Machines, Cars, Phones and whatever else. So what the number of people who know how to actually do anything with the information exploited is far less then the apparent fear is portraying.
Look the phone is getting a lot of attention from both haters and lovers and all in-betweeners. If you really hate the device and Apple so much the best way to make an impact on the anti-iPhone mission is to stop reading these articles, filter iPhone from you mind, ignore it, and stop commenting on it. You antagonist are doing more for the craze, hype or whatever you want to call it than the millions of us who already bought an iPhone.
I got my phone and yes i love it,
No, i'm not a fanboy,
No, it ain't perfect by any means,
Yes, it does what it is supposed to do for the market it was intended for, neophytes and gadgetaphiles
Yes, it was expensive,
Yes, it will be updated
Yes, it will be hacked, and updated again and the cycle will continue
Really if you don't like it than just stop hating it and the hype will go away.
smartest comment yet. cheers!
I had the new on my blog one day before MacRumors :)
But my blog is in Greek, so you couldn't have read it there... :(
apple: crash different...
If you have an exploit that allows you to take complete control over the device isn't one all you need?
Can Miles please be ip banned from each thread where there's a mention of OS's?
The fact that the iPhone has a vulnerability isn't surprising, most systems do.
What is sad, is that a company whom portrays themselves as:
"Maintaining confidentiality and privacy is of the utmost importance to ISE. The security evaluation of systems and products is a highly sensitive matter, and ISE recognizes that maintaining confidentiality results is critical."
- http://www.securityevaluators.com/profile.html
would publicly disclose this information without working with Apple to first develop a patch.
ISE, if you're reading this, security researchers who follow this kind of business model don't last long in the business.
In full disclosure, I don't own a single Apple product...all my vulnerabilities can be found on other platforms.
I don't think you want to be lecturing ISE on how to do responsible security research. ISE is composed of some of the most respected security researchers in the industry (among them, Avi Rubin). They've been around the industry for a long time. I think they have a pretty good understanding about what responsible disclosure means. You'll note that, in fact, they've already contacted Apple about this issue, and they're not releasing an exploit at this point.
@Dave. I'm not saying they aren't good researchers, but this was definitely not a responsible disclosure. Responsible disclosure would have been to:
1. Contact the company (possibly propose a fix, as was done in this case).
2. Give the company a reasonable amount of time to respond and acknowledge the vulnerability.
3. Coordinate a public disclosure with a patch availability.
4. Provide a link to the patch from within the vulnerability.
5. Disclose.
Number one and five alone do not constitute a responsible disclosure. These aren't the only smart guys on the planet. There are plenty of people who just need to be pointed in the correct direction to find an exploit.
Under no circumstances should either party be releasing exploit code, before, during or after a coordinated disclosure. It's just not classy to do so.
Given the popularity of the iPhone and the activity currently devoted to prying it open, it is quite likely that issues such as this one are already known among the black-hat community. As such, and in particular given the potential consequences of exploitation, it is reasonable to disclose the issue now, and allow users of the device to modify their behavior to mitigate risk. ISE is doing the community a favor here. Ignorance, in this case, is anything but bliss. How much worse would the situation be, for users and for ISE, if an exploit were delivered into the wild by some bad actor, and it were to subsequently become known that ISE was sitting on knowledge of the vulnerability?
The bad guys never need to be "pointed in the correct direction." They're already headed that way, and the only hope for security is to get there before them.
Haters and fanboys aside, at the end of the day, this kind of discovery is ultimately a good thing. If the vulnerability is real, Apple will certainly make a fix, and the iPhone will be that much more robust. Meanwhile, docrock is right on target: the number of people who CAN exploit this, versus the number of people who CAN and WILL exploit this, is very small. Little to fear, here.
No product is perfect when it arrives on the market. If a company took the time to do that, the product would be obsolete by the time it was released. This is all part of the process.
I heard this driving to work, but they said it'd already been fixed via a push to all of the iPhones. So it's not even an issue anymore.
Miles get out of your own butt and realize that it's funny your prceious Apple isn't God and that Microsoft is still better then you.
I think what he's trying to say is ... When a vulnerability turns up for Macs, it's all over the internet. Ridiculed, laughed at, "told you so," et cetera. Yet, hundreds of Windows exploits come out monthly and we rarely hear about them. But when he said it, he added about 50 ignorance points and 200 fanboy points.
Jeez, easy with the handbags there, ladies.
As for this issue, perhaps it's time the mac users went iFox.
Predictable.
Macs, iPhones and general Apple stuff are getting more attention, thus more people will be willing to create exploits and stuff.
People argue a lot over this.
For me, clearly Apple products have a better design. But the main reason why there's not many exploits and virii is because there's far less people interested in spending time trying to develop those to Apple products.
That's the way things work.
This is not the first, and won't be the last problem on Safari, specially now that there's a PC version, thus far more "hackers" willing to mess with it.
So what happened to everyone saying Apple products were secure? ;)
Looks like the hacker community is really starting to get their feet wet and this is probably only the beginning.
No one with half a brain would say Apple products are totally secure.
But the fact is, they are inherently more secure than the majority of Microsoft products.
And practically speaking, by comparing the number of exploits, they are vastly more secure than Microsoft products. There are various reasons, and not all because of Apple engineering, but the reality is, as of now, Apple products are Fort Knox compared to Microsoft products.
However, feel free to woot woot, dance a little jig, whatever, Microsoft fanboys. This appears to be a real and serious exploit, assuming someone hits an unsafe site. However, it will undoubtedly be patched, along with the embedded autodialing from the browser... something else that needs to be patched.
no, comparing the number of exploits says nothing. Microsoft has maany many more products than apple has. Microsoft has been on the front line and run on 90% of all computers for years. They are the fort knox of operating systems. How many security updates has macos had this year? Many time more than windows. by june 1st they had already patched over 100 flaws. Who knows what the number is at now but im guessing the patched another 30 this month. keep dreaming buddy !
Safari on PC is not made for public consumption, IMHO. They released it so that developers could test third party apps in windows using safari, nothing more. That's what I think, but I hope that a patch for this comes around quickly. That's why they conveniently released in a similar time frame that the iPhone was. This is, however, one area where MS does have more experience- fixing bugs. Microsoft is big enough that they have a fix pretty quickly (usually!), but Apple is pretty new to the security problem game, as far as I can tell. Not saying MS is better, just commenting on things. so please don't flame me, lol.
ok, i hope you know you can make phone calls to the PSP you big douch. furthering the fact that the iphone is a POS
Well, at least it can download QuickTime. Should I call you on the PSP. What's the number?
lol at thinking PC's will be affected. nobody uses that POS software on PC.
All apple says is "our software/hardware is the best" while its far far from being the best.
The fact that the iPhone has an exploit doesn't bother me so much. While it proves once again that even Apple products are susceptible to bugs, Apple is usually pretty good at patching them quickly. (In fact Microsoft is usually pretty fast at patching things, too. There's just so many things for them to patch.)
What does bother me about this, though, is that the flaw has been found so early in iPhone's life. Does this mean that people are turning their attention to exploiting OSX more now? If so, I'm concern how long it would take before they hackers turn their attention to Apple computers, too.
I'm just finding it a little funny because the rationale for relegating 3rd party support to the usage of web apps only (and not native/installable programs) was that web-based applications would supposedly be much more secure than traditional programs. And now it turns out that the first security issue to be found stems from the browser? How safe!
It won't be long before someone figures out a way to hack into the phone through an innocent-looking web app, even after Apple fixes this current exploit. Apple should just open up the damn phone already and quit being such control freaks, as it's clear that no matter what, there will always be security risks. There's no longer an excuse for snubbing true 3rd party apps.
/soapbox xD