Apple iPhone vulnerable through Safari

A security vulnerability has been discovered in the Safari browser of the most recent version of the Apple iPhone software, according to security vendor Radware's research team.

A denial of service (DoS) problem occurs when an iPhone user opens a HTML page containing Javascript, which manifests the vulnerability. Users would be driven to the page by can social engineering such as spam mail or spam SMS.

Once this happens, the user will experience an application DoS which will crash the Safari browser and possibly the entire iPhone.

Radware said that the Safari browser was vulnerable due to a design flaw triggered by a series of memory allocation operations on the dynamic memory pool, which then triggers a bug in the garbage collector.

The flaw is currently unpatched, with Radware claiming users were vulnerable until an update is issued by Apple.

"While vendors are struggling to push new products and applications, it is evident that security still remains a secondary concern," said Itzik Kotler, security operation centre manager at Radware.

He added: "Hackers continue to misappropriate other people's software and their job is made easier by design flaws embedded into software products."

Before the iPhone was launched last year, IT PRO reported about how it could be a problem for IT departments as they try to incorporate the device into security and management policies.

Although legally dubious, the iPhone is capable of being hacked for use on different networks. Hackers could also be attracted by the fact that Apple now offers a third party developer kit.

Apple declined to comment.