iPhone vulnerable to JavaScript exploit

Safari JavaScript The dangers of the Interweb are almost enough for me to go back to writing letters and sending telegrams to my loved ones—almost. You think browsing the net on your iPhone is safe and then wham—you get hit by a truck. Literally. Because you weren’t looking where you were going.

And then, of course, there are security concerns online too. The most recent? A JavaScript vulnerability in MobileSafari that can be exploited by putting malicious code on a website which can cause the iPhone to kernel panic. It hasn’t been determined yet whether or not this could lead to remote code execution, but it’s theoretically possible, given the nature of the exploit. iPhone 1.1.2 and 1.1.3 are both listed as vulnerable, with the potential for earlier versions of the firmware to be at risk as well.

What can you do about it? At the moment, you can turn off JavaScript under Settings -> Safari, but that’s not a great solution, since any spiffy web apps that rely on it—read: most of them—won’t work in the meantime. Guess it’s just a matter of hoping that Apple will patch this soon, and making sure you trust the sites you go to.

[via Engadget]

Category: News

Posted by Dan Moren on Feb 7 2008, 11:51 AM ET

Comments (3)

Unless this vicious code is embedded in macworld, CNN, fox, tvguide, macuser, wired, apple, google, ups, usps, Fedex, amazon, or the likes of those, I don't think I have too much to fear from this.

Posted by Walt | February 7, 2008 12:25 PM

I would be curious to hear from ANYBODY who actually gets hit by this and perhaps share what site(s) were the culprit. I think a lot of these "scares" are so far fetched and I typically pass it off as nothing more than fanfare.

However, if there were truly some iPhone users out there who can actually confirm this, then it would sure be nice to know the source of the malicious code.

As a current user of firmware 1.1.1 (I am waiting for something "real" from Apple before I un-hack my phone) I am sticking with a hacked iPhone and a plethora of very useful applications that I use on a daily basis under firmware 1.1.1

Posted by Mike Erickson | February 7, 2008 12:45 PM

There is already a javascript exploit called ImageMaker, from a UK company. The software basically has you set up a bookmarklet which points to their website which also contains javascript in the URL. You are instructed to save the bookmarklet with the site URL removed, leaving only the javascript. What does the software do? It allows you to collect images from the web so you can send them to you friends from your iphone.

This is done without jailbreaking the iPhone, and opens up a whole new can of worms for having a malicious software exploit sitting on your springboard that is run when you select it.

A person could make a bookmark from an innocent looking URL, only to have it execute a virus, or some other type of malware that could wreck havoc with your iPhone.

David B. Alford

Posted by David B. Alford | February 7, 2008 2:33 PM

Post a comment

Name:

Email Address:

URL:

Remember personal info?

Comments: (you may use HTML tags for style)

ABOUT iPHONE CENTRAL

Get the latest news, reviews, and opinion about Apple's groundbreaking iPhone from the Apple experts at Macworld.

Want more information? Be sure to check out our complete iPhone coverage.

iPHONE VERSION

Our site's pretty iPhone friendly. But if you'd like to test an iPhone-app-like version of our site, click here and give it a go.

MACWORLD'S iPHONE REVIEW

How does the iPhone stack up? Read our in-depth review.

iPHONE QUESTIONS OR COMMENTS?

Send your iPhone thoughts:
via e-mail
via voicemail
and we may use them on the site.