Noted hacker HD Moore has posted exploits for a vulnerability in Apple's iPhone, the same flaw that's been used by others to unlock the smart phone so it will work on other networks. The vulnerability, which is in the TIFF image-rendering library shared by the iPhone's Safari browser and its e-mail program, as well as by the iTunes software, leaves the iPhone wide open to attack, said Moore, who posted a second, and more robust, exploit today after debuting attack code yesterday. "This exploit is rock solid. It's very reliable, as reliable as the WMF [Windows Metafile] exploits in Windows. You can send it in an e-mail, you can embedded it in a Web page. The second exploit works on 1.0, 1.0.1, 1.0.2 and 1.1.1 iPhones," said Moore.
"I think the iPhone is pretty terrible. It's an easy platform to exploit," he said. Part of that, he went on, is because exploiting any iPhone application gives root access to the entire phone. But other security weaknesses abound, he said, in the Safari browser and in the underlying operating system (a scaled-back version of Mac OS X). Moore has added the exploits to Metasploit, the popular penetration framework, a move that in the past has meant in-the-wild attacks are not far behind. He predicted that malicious code exploiting the TIFF vulnerability would be on the loose "pretty soon."
News source: ComputerWorld