The company that designs its products “to be secure from day 1” is facing some security headaches of its own.
First, the vulnerabilities in its beta release of Safari browser for Windows, ironically discovered on “day 1”, within hours of Apple Wizard-In-Chief Steve Jobs announcing it with much fanfare (read previous post “Safari, Meet Windows: Apple’s cool browser comes with security holes“). Followed up by vulnerabilities in its cool (but way-too-overhyped) new iPhone. On Monday, Independent Security Evaluators revealed a vulnerability and a “a proof-of-concept exploit capable of delivering files from the user’s iPhone to a remote attacker”.
Part of the interesting Q&A; on ISE’s web site (linked above):
Should I turn my iPhone off and lock it in a drawer until Apple fixes this?
Not unless you plan to do the same to all the other computers you own. The iPhone is an internet connected device running a relatively full featured software suite: this research shows that it is vulnerable just like many other similarly capable devices, both PCs and embedded systems.
Does this add credence to Apple’s position that 3rd party applications are not allowed on the iPhone for security reasons?
We don’t think so. Almost all of the security engineering effort on the iPhone seems to have been spent protecting the revenue model, rather than protecting the user (which is, of course, an entirely understandable position). For example, a constrained environment is used to prevent users from loading new ringtones onto the phone, but the applications are not run in a constrained environment to contain damage caused by hackers who exploit them.
ISE’s Dr. Charlie Miller will reveal more details in a presentation on Monday (Aug 2nd) at BlackHat. Apple has fewer than 7 days to patch the iPhone, according to InfoWorld. More in this report “Black Hat spurs Apple to patch iPhone“.
{ 0 comments… add one now }