Update 7/31/2009 1431hrs ET
According to an article posted by Computer World Apple will provide a patch to the SMS vulnerability/Virus by this Saturday August 1st. Apple has currently not released any kind of public statement providing confirmation about this report from the BBC.
Yesterday, news broke about a serious security flaw that could allow a remote attacker to take control of the victim’s iPhone by sending a specially constructed SMS message. Today, the man who discovered it [Charlie Miller] will release the world’s first iPhone virus. He discovered an SMS hack 6 weeks ago and reported it to Apple, but they have yet to release a patch. Miller and his fellow cybersecurity researcher Collin Mulliner will both explain and reveal their iPhone SMS exploit some time today at the Blackhat cybersecurity conference in Las Vegas.
The security hole can breach your iPhone which can then be used to send messages, make calls, steal data and do anything else that is desired. The attack is enabled by a serious memory corruption bug in the way the iPhone handles SMS messages. The hackers or rather the demonstrators of this hacking attack informed Apple about this shortcoming, six weeks back — yet we’re not sure of an update to tackle the iPhone virus.
It’s worth mentioning that A [similar] vulnerability in Android was found, but then promptly fixed by Google, while another vulnerability in HTC’s code (company that makes Android and Windows Mobile-based phones) can render the phone useless, but it doesn’t allow the attacker to take control of it. iPhone’s security flaw, enabled by a memory corruption bug in the way it handles SMS messages, is by far the most serious.
How can you recognize and avoid the iPhone virus?
If you get a strange text message containing any square box, even if it’s from a recognized number you may be the victim of the iPhone virus.
You have two choices:
1. Put your iPhone in Airplane mode: Go to Settings -> Airplane Mode and slide the button to Off.
2. Hold down the power button, and slide to turn your iPhone off.
What isn't clear is if it affects 3.0. As far as I know, unconfirmed news says it happens in 2.x versions. Does the timeline work for 3.0 actually having the patch in it? I can only assume someone as techie as Miller would have tried it on the latest firmware, thus we are all vulnerable.
There is one important thing to note here, while all of us iPhone toting fanboys are a target, the vector is still SMS, meaning my phone number (ah hem, not that I have an iPhone) would have to be known by the attacker, or a lucky random hit.
Update: read that 3.0 is vulnerable here:
http://news.cnet.com/8301-27080_3-10299378-245….
Update: read that 3.0 is vulnerable here:
http://news.cnet.com/8301-27080_3-10299378-245….
[...] that an update on our post from yesterday was dead on (kudos to the BBC and Computer World), this patch should be [...]
[...] the amount of adverse news this week out of the Steve Jobs camp (or in some cases lack of thereof), I wanted to post up a few of my favorite images from around the web in reference to the iPod to [...]