Security vulnerabilities in the iPhone's e-mail application and Safari Web browser can be used by phishers to dupe users into visiting malicious sites or by spammers to flood the phone's inbox with junk mail, a researcher warned Wednesday.
Browser vulnerability researcher Aviv Raff said he reported three separate bugs to Apple about two weeks ago: two in the iPhone Mail program and one in its Safari browser.
Apple has acknowledged that the two vulnerabilities in Mail are security issues, Raff said, but the company is currently undecided on whether the Safari flaw meets its security bug criteria. At times, Apple has balked at labeling problems as security vulnerabilities, notably in May when it initially said the so-called "carpet bomb" bug was not security related. A month later, Apple did patch Safari to stymie the kind of attacks that Raff, and other researchers, had outlined.
"By creating a specially-crafted URL, and sending it via an e-mail [message], an attacker can convince the user that the spoofed URL, showed in the Mail application, is from a trusted domain, such as a bank, PayPal or social networks," Raff said in a post to his blog Wednesday afternoon. "When clicking on the URL, the Safari browser will be opened [and] the spoofed URL, showed in the address bar, will still be viewed by the victim as if it is of a trusted domain."
In lieu of any patches, Raff urged users to refrain from following links embedded in messages. If they wanted to avoid spam, he recommended that they stop using the iPhone's e-mail application completely.
Raff was hesitant to talk about the technical details of any of the three bugs in a follow-up interview conducted using instant messaging, saying that he would not disclose any specifics until Apple patches the problems. But when asked whether the spoofing flaws in Mail and Safari might be somehow related to protocol handler issues -- a common source of bugs in browsers for more than a year now -- Raff at first said, "No, nothing to do with protocol handling." However, moments later he added: "Hmmm. Let me rephrase it. Almost nothing to do with protocol handling."
The spam-related flaw in Mail is a "very basic design flaw," Raff said, that can make an e-mail account more vulnerable to spam. "I can't say more about this, as it may reveal the actual issue."
That bug has surfaced before in other versions of Apple's Mail software -- it bundles a much brawnier edition with Mac OS X -- and has been patched in those versions, said Raff.
Both the older version 1.1.4 of the iPhone's software, and the recently-released version 2.0, harbor the three bugs. Raff said that exploiting any of the three bugs was "trivial" and has crafted proof-of-concepts to demonstrate possible attacks.
Apple did not immediately respond to a request for confirmation of Raff's reports.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Opening the door to endless possibilities and bringing surveillance into the wireless age
The disruptive approach of open WiMAX
Refresh your AUP: Top tips to ensure your acceptable use policy is fit for purpose
Comprehensive centralized tools to automate planning, deployment, security and management of your wireless LAN
Everything you need to know about email and web security (but were afraid to ask)
The Case for an Untethered Enterprise
Motorola Introduces Industry’s First Tri-Radio 802.11n Access Point
Look before you leap | Key considerations for moving to 802.11n
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Vignette Announces 2008 Excellence Awards 2008-11-21 10:50:00+11
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 2008-11-20 17:34:00+11
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 2008-11-20 12:06:00+11
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 2008-11-20 12:04:00+11
AARNet Brings 4K Digital Cinema to Australia: First 4K HD Video Signal delivered into Australia by AARNet 2008-11-20 12:02:00+11
Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Web 2.0 applications are all the rage, offering us tremendous value when it comes to collaboration and communication. They also open us up to new kinds of attacks however, and can cause problems in keeping systems and data secure. Read on to learn about the new attack methods and how you can defend yourself and your business.
Buying Guides
Latest Products
