iPhone vulnerable to DoS attack

A security firm claims to have uncovered a denial-of-service vulnerability in version 1.1.4 of Apple's Safari web browser for the iPhone.

Radware said that the phone is vulnerable to DoS attacks owing to a design flaw that may be triggered by a series of memory allocation operations on the dynamic memory pool, which in turn triggers a bug in the garbage collector.

"While vendors are struggling to push new products and applications, it is evident that security still remains a secondary concern," said Itzik Kotler, security operation centre manager at Radware.

"Hackers continue to misappropriate other people's software and their job is made easier by design flaws embedded into software products."

To exploit the vulnerability, an iPhone user must open an HTML page which contains JavaScript that manifests this vulnerability.

Once at the site, an application-level DoS attack crashes the Safari browser and could go as far as crashing the iPhone completely.

Users could be lured to sites containing this attack via links in spam messages or other social engineering techniques.

Radware said that the vulnerability is a proof of concept, and looks like little more than a nuisance at this stage.

However, the firm believes that there is a possibility that a more sophisticated hacker could use vulnerabilities like this to shut services down or install malware.

See also:

Malware writers cash in on Olympics

Rootkit-laden video is latest to exploit Tibet protests  15 Apr 2008

Banks failing on ATM security

Unencrypted messages open to abuse, claims report  22 Feb 2008

'Anonymous' wages war on Scientology

Online spat turns nasty following Cruise video  28 Jan 2008

Spammers trash anti-money laundering site

With a little help from the hosting company  12 Oct 2007

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!