iPhone Vulnerability An Open Door For Hackers - Researcher

Security researchers HD Moore, creator of the Metasploit vulnerability testing tool, and Kevin Finisterre, who specializes in Apple security issues, earlier this week published an exploit that takes advantage of a bug in the libtiff library, which is used by iPhone applications such as MobileMail, MobileSafari, and iTunes.

"The fact that the libtiff vulnerability is out there and not patched is a problem," said Finisterre in an interview with CMP Channel. "I know I probably won't be using MobileSafari or MobileMail until the patch comes out."

The exploit works on any iPhone, including those with the latest 1.1.1 firmware that Apple released last month. "I have a strong feeling you could also trigger it via YouTube and Maps programs as well," said Finisterre.

Finisterre says there's a popular misconception that iPhone vulnerabilities can only be attacked over a wireless connection. But earlier this week, Finisterre and fellow security researcher HD Moore successfully exploited the libtiff bug using the iPhone's EDGE connection.

"I started Safari on my iPhone, browsed to a Website, and a few seconds later, HD was able to get root on my phone, without a wireless connection. Being able to run your own machine code pretty much opens the gates," Finisterre said.

"I think it's pretty serious -- and even more so, ironic -- that a year-old bug would get rolled into a semi-recent product," added Finisterre.

Apple couldn't be reached for comment on when a patch for the libtiff vulnerability might be released.

Joe Bardwell, president and chief scientist of Connect802, a solution provider in San Ramon, Calif., says all of the exploits he has encountered that impact EDGE have depended on users being persuaded to accept a connection request or send a message response.

"Ultimately, it's probably the unsuspecting user that unintentionally opens the door to let the hacker inject unauthorized code into the phone," Bardwell said.

This is the second time the iPhone has been burned by outdated open source software libraries, according to Finisterre. In July, researchers found a glitch in the Perl Compatible Regular Expressions (PCRE) library that's used by the Javascript engine in Safari, which Dr. Charlie Miller, a researcher with Baltimore-based Independent Security Consultants, discussed in a presentation at Black Hat hacker confab in July,.

In an interview with CMP Channel at Black Hat, Miller said Apple regularly uses outdated versions of open source code in the OS X platform, much of which contains known security flaws.