Apple is making all efforts to fix an SMS handling vulnerability in its iPhone. Apple is concerned about the security flaw and is of the view that until the problem gets fixed, this could be used by an attacker for operating unauthorized code having absolute access to the device.
IDG News Service stated that Apple has been informed of the vulnerability and that it is working on a patch which is scheduled to be released before the Black Hat USA security conference is held. The SM vulnerability is slated for disclosure at this conference.
There was no immediate response from Apple when it was requested for comment. In the recent times, it was also heard that iPhone 3.0 software had 46 fixes for security vulnerabilities. Actually, iPhone 3.0 software is able to automatically launch the Safari browser in particular times; this feature makes iPhone highly user friendly, but also less secure at the same time. Apple has a paid a lot of attention to the usability factor, but this feature has made its iPhone prone to Wi-Fi hotspot hijacking. A malicious network poses as a risk for any connecting device. The automatic browser launch from iPhone has set the stage for aggravating the risk.
Black Hat security conference will be taking place in Las Vegas from July 25-30, and during this conference Independent Security Evaluators security researcher, Charlie Miller will be presenting information about the particular vulnerability.
At the SyScan security conference in Singapore, during an iPhone security presentation Miller already mentioned the vulnerability. According to IDG, he did not elaborate on the vulnerability referring to an agreement with Apple.
Miller also has plans to take part in two Black Hat presentations. The two presentations at the security conference will be “Fuzzing the Phone in your Phone” and “Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone”.
The presentation - Fuzzing the Phone in your Phone, will talk about the procedure of injecting SMS messages into iPhones Windows Mobile devices, and Android phones through a technique that is named fuzzing. The other presentation, titled Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, will provide an explanation of injecting unsigned code into a process address space of the iPhone.
In the Pwn2Own contest at CanSecWest security conference, Miller won Apple hardware this year as well as the previous year. He was successful in winning by exploiting Apple Safari Web browser’s unknown vulnerabilities of the past.