Technological convergence came full circle with the release
of the iPhone, Apple's (Nasdaq: AAPL) 
newest wonder
gadget. Arguably the most anticipated product so far for 2007, the iPhone is a
multimedia and Internet-enabled mobile phone that brings Apple into
the mobile telecommunications market. While Apple plans to corner a 1 percent
share in the global mobile phone market (roughly 10 million units) in its first
year of availability, several analysts have forecasted even greater expectations
given the iPod's amazing success.
With all the hype surrounding the iPhone, security researchers are
waiting to determine whether it is secure enough to do more than just
communicate and entertain.
Sinister Sites
The platforms on which these mobile phones are running (such as
Symbian , Palm (Nasdaq: PALM) , and Windows
Mobile) provide software development kits (SDKs) to
third-party vendors so that they may create compatible applications. Hackers
have easy access to these platform blueprints, enabling them to find
vulnerabilities in the system to inject malware.
Some malware creators leveraged the type early without even creating malware for
the device itself. On June 30, 2007, researchers reported the discovery of a
pop-up ad that disguises as a venue that sells iPhone.
Triggered when visiting Google.com or Yahoo.com, the Trojan generated a pop-up ad that referred interested iPhone buyers to a phony Web site that resembled the Apple Web site. However, the malware authors took the money from confirmed purchases, and the buyers received nothing in return.
A few days later, SDA Asia reported an e-mail spam version of
this malware. The malware tried to improve its chances of successful
installation by exploiting ActiveX vulnerabilities to install its malicious
payload.
Other features include use of XOR encryption and multiple fake Web sites to thwart detection.
Hacked From the Gate
Apple developed the iPhone without releasing a software development kit, meaning developers and hackers alike will not find it easy to develop applications or malware for the iPhone.
However, days after its launch, Errata Security chief executive Robert Graham reported that one of the applications in the iPhone contained one of the vulnerabilities found in the beta version of Apple's Safari 3 browser. This vulnerability, when successfully exploited, may allow a remote user to assume control of Safari 3 to execute code of choice.
Safari is the third most popular Web browser with almost 5 percent of market share as of May 2007 (according to Net Applications.com). Hours after the release of the Safari 3 beta for Mac and Windows on June 12, independent security researcher Thor Larholm found a zero-day vulnerability relating to the URL protocol handler in the Windows version.
A Big Enough Target
Another researcher, David Maynor of Errata Security, found six other vulnerabilities in the Windows version -- four of which could allow denial-of-service (DoS) attacks while the other two could allow remote code execution on the affected system.
The bugs found on the Windows version of Safari may affect the iPhone as loopholes in one version can easily be located on another. Furthermore, the iPhone runs on Mac OS X, which has several security issues of its own and it is likely that these will be encountered in the iPhone. These vulnerabilities may offset Apple's closed platform strategy, as they provide hackers with material to explore.
The Safari 3 and iPhone vulnerabilities combined with the malware events seem to tell the world that Apple products are popular enough to serve as prime targets for lucrative exploits and bugs. It is wise to expect additional attacks in the future as the iPhone rolls out and availability and popularity increase.
I found this at
http://www.technewsworld.com/story/wireless/58916.html
