THREAT LANDSCAPES
iPhone Malware
Technological convergence came full circle this month with the release of the iPhone, Apple's newest wonder gadget. Arguably the most anticipated product so far for 2007, the iPhone is a multimedia and Internet-enabled mobile phone that brings Apple into the mobile telecommunications market. While Apple plans to corner a one percent share in the global mobile phone market (roughly 10 million units) in its first year of availability, several analysts have forecasted even greater expectations given the iPod's amazing success.
With all the hype surrounding the iPhone, security researchers are waiting to determine whether it is secure enough to do more than just communicate and entertain. Similar smart phones have been affected by security issues ranging from malware to phishing activities. The platforms on which these mobile phones are running (such as Symbian, Palm, and Windows? Mobile) provide software development kits (SDKs) to third-party vendors so that they may create compatible applications. Hackers have easy access to these platform blueprints, enabling them to look for vulnerabilities they can exploit to create damaging malware.
Malware Used to "Sell" iPhones
Some malware creators leveraged the hype early without even creating malware for the device itself. On June 30, researchers reported the discovery of a pop-up ad that portends to sell an iPhone. Triggered when visiting Google.com or Yahoo.com, the Trojan generated a pop-up ad that referred would-be iPhone buyers to a phony website that resembled the Apple website. However, the malware authors took the money and the buyers received nothing in return.
A few days later, SDA Asia reported an email spam version of this malware. The malware tried to improve its chances of successful installation by exploiting over ten ActiveX vulnerabilities to install its malicious payload. Other features include use of XOR encryption and multiple fake Web sites to thwart detection.
iPhone on Safari
Apple developed the iPhone without releasing an SDK, meaning developers and hackers alike will not find it easy to develop applications or malware for the iPhone. However, days after its launch, Errata Security CEO Robert Graham reported that the iPhone contained one of the vulnerabilities found in the beta version of Apple's Safari 3 browser, which is included as a bundled application on the iPhone. This vulnerability, when successfully exploited, may allow a remote user to assume control of Safari 3 to execute code of choice.
Safari is the third most popular Web browser with almost 5% of market share as of May 2007 (according to Net Applications.com). Hours after the release of the Safari 3 Beta for Mac and Windows on June 12, independent security researcher Thor Larholm found a zero-day vulnerability relating to the URL protocol handler in the Windows version. Another independent security researcher, David Maynor of Errata Security, found six other vulnerabilities in the Windows version - four of which could allow denial of service (DoS) attacks, while the other two could allow remote code execution on the affected system.
Safari may be inflicted with future bugs, although in scaled-down versions on the iPhone. The bugs found on the Windows version of Safari may affect the iPhone version as loopholes in one version can easily be located on another. Furthermore, the iPhone runs on Mac OS X, which has several security issues of its own and it is likely that these will be encountered in the iPhone. These vulnerabilities may offset Apple's closed platform strategy, as they provide hackers with material to explore.
Conclusion
The Safari 3 and iPhone vulnerabilities combined with the malware events seem to tell the world that Apple products are popular enough to serve as prime targets for lucrative exploits and bugs. It would be wise to expect additional attacks in the future as the iPhone rolls out and availability and popularity increase.
No comments:
Post a Comment