iPhone vulnerable to DoS attack

An application-level DoS attack could crash the iPhone's Safari browser

A security firm claims to have uncovered a denial-of-service vulnerability in version 1.1.4 of Apple's Safari web browser for the iPhone.

Radware said that the phone is vulnerable to DoS attacks owing to a design flaw that may be triggered by a series of memory allocation operations on the dynamic memory pool, which in turn triggers a bug in the garbage collector.

"While vendors are struggling to push new products and applications, it is evident that security still remains a secondary concern," said Itzik Kotler, security operation centre manager at Radware.

"Hackers continue to misappropriate other people's software and their job is made easier by design flaws embedded into software products."

To exploit the vulnerability, an iPhone user must open an HTML page which contains JavaScript that manifests this vulnerability.

Once at the site, an application-level DoS attack crashes the Safari browser and could go as far as crashing the iPhone completely.

Users could be lured to sites containing this attack via links in spam messages or other social engineering techniques.

Radware said that the vulnerability is a proof of concept, and looks like little more than a nuisance at this stage.

However, the firm believes that there is a possibility that a more sophisticated hacker could use vulnerabilities like this to shut services down or install malware.