Read up on the latest ideas and technologies from companies that sell hardware, software and services. Zones provide focussed content from Computerworld and leading technology partners.Newsletter Subscription
Security vulnerabilities in the iPhone's e-mail application and Safari Web browser can be used by phishers to dupe users into visiting malicious sites or by spammers to flood the phone's inbox with junk mail, a researcher warned Wednesday.
Browser vulnerability researcher Aviv Raff said he reported three separate bugs to Apple about two weeks ago: two in the iPhone Mail program and one in its Safari browser.
Apple has acknowledged that the two vulnerabilities in Mail are security issues, Raff said, but the company is currently undecided on whether the Safari flaw meets its security bug criteria. At times, Apple has balked at labeling problems as security vulnerabilities, notably in May when it initially said the so-called "carpet bomb" bug was not security related. A month later, Apple did patch Safari to stymie the kind of attacks that Raff, and other researchers, had outlined.
"By creating a specially-crafted URL, and sending it via an e-mail [message], an attacker can convince the user that the spoofed URL, showed in the Mail application, is from a trusted domain, such as a bank, PayPal or social networks," Raff said in a post to his blog Wednesday afternoon. "When clicking on the URL, the Safari browser will be opened [and] the spoofed URL, showed in the address bar, will still be viewed by the victim as if it is of a trusted domain."
In lieu of any patches, Raff urged users to refrain from following links embedded in messages. If they wanted to avoid spam, he recommended that they stop using the iPhone's e-mail application completely.
Raff was hesitant to talk about the technical details of any of the three bugs in a follow-up interview conducted using instant messaging, saying that he would not disclose any specifics until Apple patches the problems. But when asked whether the spoofing flaws in Mail and Safari might be somehow related to protocol handler issues -- a common source of bugs in browsers for more than a year now -- Raff at first said, "No, nothing to do with protocol handling." However, moments later he added: "Hmmm. Let me rephrase it. Almost nothing to do with protocol handling."
The spam-related flaw in Mail is a "very basic design flaw," Raff said, that can make an e-mail account more vulnerable to spam. "I can't say more about this, as it may reveal the actual issue."
That bug has surfaced before in other versions of Apple's Mail software -- it bundles a much brawnier edition with Mac OS X -- and has been patched in those versions, said Raff.
Both the older version 1.1.4 of the iPhone's software, and the recently-released version 2.0, harbor the three bugs. Raff said that exploiting any of the three bugs was "trivial" and has crafted proof-of-concepts to demonstrate possible attacks.
Apple did not immediately respond to a request for confirmation of Raff's reports.
Computerworld Member Login
D-Link Australia & New Zealand
D-Link is the global leader in connectivity for small, medium and large enterprise business networking. The company is an award-winning designer, developer and manufacturer of networking, broadband, digital electronics, voice and video communication.
To Find out more about D-Link solutions visit www.dlink.com.au
D-Link Australia & New Zealand
Featured Products
- GREEN ETHERNET WEBSMART
DGS-1200 Series Managed Switch
D-Link has integrated its Eco-friendly Green Ethernet technology into the WebSmart switch family. WebSmart switches also known as the DGS-1200 series are ideal for the small organisations that wants high speed Gigabit connectivity and don't need many major management features. - DIGITAL HOME
DSM-330 HD Media Player
Leverage your PC power and enjoy fast, smooth, stutter-free video, music and photo playback in a rich, remote-controlled TV interface. The new generation D-Link DivX Connected™ HD media play is now available. - NETWORK ATTACHED STORAGE
DNS-343, 4-Bay NAS Box
The highly anticipated 4-bay NAS box has just arrived. Following the great success of its brother 2-bay NAS box the DNS-323. This unit is versatile and can be used in the home to share multi-media with the family or even in the office to store and share files.
New Products
-
BUSINESS GRADE FIBRE SWITCH
DGS-3100-24TG Managed L2 Gigabit Stackable SFP Switch
Providing 8 Gigabit Ethernet ports, 16 SFP ports and 2 HDMI ports for high speed switch stacking. This is the ideal device for WAN aggregation and use in commercial environments requiring fibre links. - POWER OVER ETHERNET SWITCH
DES-1008P, 8-Port PoE Switch
D-Links entry level PoE switch. Featuring 4 PoE Ports users can easily connect and supply power up to 15.4 Watts, a total PoE budget of 56 Watts. Ideal to be used with a variety of PoE clients such as D-Links IP Camera's or wireless access points. - SOHO VPN ROUTER
DIR-130, 8-Port Broadband VPN Router
DIR-130 is an easy-to-deploy routing 10/100 switching, VPN, and firewall designed specifically for the small office home office.
Download
- Product Selection Guide Issue 3, 08 (3.2MB PDF)
- D-Lifestyle Magazine Issue 11 (3.7MB PDF)
- D-Link Power Up Your Business Poster (1.7MB PDF)
Case Studies
- Commercial Grade Wireless - Four Points Sheraton Hotel Case Study (300K PDF)
- Business Class Switching - Microsoft Campus Case Study (800K PDF)
- High Bandwidth Networking Solution - Team Emirates New Zealand Case Study (751K PDF)
Whitepapers
D-Link TV
Watch videos about D-Link products and much morehttp://www.dlinktv.com
D-Link Training
Find out more about D-Link products trainings and certification programhttp://training.dlink.com.au
