An End To Exploit-Based Development On The iPhone?
Apple CEO Steve Jobs explains the SDK shipping in February will help third-party partners and protect iPhone users from malicious programs.
With the upcoming introduction of an Apple-sanctioned iPhone software development kit in February, mobile application developers will no longer have to exploit a vulnerability to write iPhone applications.
Until then, determined developers may continue looking to the work of security research H.D. Moore, who has written a recent series of blog posts about cracking the iPhone.
Moore, director of security at BreakingPoint Systems and creator of the Metasploit vulnerability testing tool, has published details about the exploit that third-party developers have been using to put applications on the iPhone against Apple's wishes.
"Using a security vulnerability to enable third-party development is nothing new, but in the case of iPhone, this can be a problem," Moore said in a blog post last week.
The problem is that the flaw isn't merely useful for iPhone developers who just can't wait for Apple to open the iPhone up; it's potentially useful for hackers.
In a statement Wednesday on the Apple Web site, Apple CEO Steve Jobs made it clear that Apple is concerned about iPhone vulnerabilities.
"Some claim that viruses and malware are not a problem on mobile phones -- this is simply not true," said Jobs. "There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target."
The exploit described by Moore takes advantage of a programming flaw in libtiff, the open-source TIFF image-rendering library. It has been tested on several iPhone applications that incorporate libtiff: MobileMail, MobileSafari, and the iTunes Music Store, under firmware versions 1.02 and 1.1.1.
As Secunia explained in a recent security advisory, "The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari Web browser."
People who use their iPhones to read e-mail or surf the Web could thus be targeted by hackers.
The vulnerability also affects Apple's iPod Touch.
Secunia rates the vulnerability as "highly critical," or 4 on a 5-point scale.
"We are working on an advanced system which will offer developers broad access to natively program the iPhone's amazing software platform while at the same time protecting users from malicious programs," said Jobs. "We think a few months of patience now will be rewarded by many years of great third party applications running on safe and reliable iPhones."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.