Vulnerabilities / Threats

7/2/2009
03:13 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Planning Fix For iPhone SMS Flaw

An SMS vulnerability in Apple's iPhone is slated for disclosure at the Black Hat conference later this month. Apple is reportedly rushing to get a fix ready.

Apple is reportedly working to fix an SMS message handling vulnerability in its iPhone that could be used by an attacker to run unauthorized code with full access to the device.

According to IDG News Service, Apple has been notified about the vulnerability and is working on a patch that's planned for release prior to the Black Hat USA security conference later this month.

Apple did not immediately respond to a request for comment. But iPhone vulnerabilities are not unheard of: The company's recent iPhone 3.0 software release included 46 fixes for security vulnerabilities.

At Black Hat, which runs from July 25-30 in Las Vegas, Charlie Miller, a security researcher with Independent Security Evaluators, plans to present information about the vulnerability.

Miller mentioned the vulnerability in an iPhone security presentation on Thursday at the SyScan security conference in Singapore, but declined to provide details, citing an agreement with Apple, IDG reports.

Miller was not immediately available to comment.

He plans to participate in two presentations at Black Hat: "Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone" and "Fuzzing the Phone in your Phone."

The former talk will explain how to inject unsigned code into an iPhone's process address space. The latter will explore how to inject SMS messages into iPhones, Android phones, and Windows Mobile devices using a technique called fuzzing.

Both this year and last, Miller has won Apple hardware at the CanSecWest security conference's Pwn2Own contest by exploiting previously unknown vulnerabilities in Apple's Safari Web browser.

Black Hat is owned by TechWeb, which also publishes InformationWeek.

InformationWeek has published an in-depth report on smartphone security. Download the report here (registration required).

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10428
PUBLISHED: 2018-05-23
ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.
CVE-2018-6495
PUBLISHED: 2018-05-23
Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, version 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0, CMS, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1 and Micro Focus UCMDB Browser, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1. This vulnerability could be remotely exploited to al...
CVE-2018-10653
PUBLISHED: 2018-05-23
There is an XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
CVE-2018-10654
PUBLISHED: 2018-05-23
There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
CVE-2018-10648
PUBLISHED: 2018-05-23
There are Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.