Infamous Safari Security Cracker Finds Vulnerability-ish in iPhone OS?

Very little code is bullet-proof. Hackers will always find holes. The worst holes will be critical. The worst hacks will be zero-day and found in the wild -- catching companies and users both by surprise.

Not sure we have any of that here. Macworld does report that, at the Black Hat Europe Security Conference, former NSA number cruncher Charlie Miller -- who has rolled his ability to find exploits in the Mac version of Apple's Safari Browser into tens of thousands of dollars and a couple free MacBooks at the annual Pwn2Own contest -- claims to have:

...found a way to trick the iPhone into running code that enables shellcode. To run shellcode on an iPhone, however, an attacker would first need a working exploit for an iPhone, or a way to target some software vulnerability in, for example, the Safari Web browser or the mobile’s operating system. Miller said he doesn’t have one now.

Miller previously gained attention for a Mobile Safari exploit that made for some quick early jailbreaking and led to Apple patching the problem in firmware 1.0.1.

What's particularly disturbing, however, is that Miller also says he's unsure whether or not Apple knows about the potential vulnerability.

He should know that absolutely dead cold, of course. He should have told Apple long before he made the information public, and only made the information public when Apple had a fix rolled out or ignored his warnings for so long that public pressure could reasonably be considered the only option in getting them to roll out a fix.

Either way, Miller should know that Apple knows because he told them first. Or do we no longer warn people in a house when we see a potential fire starting, but wait and see how much attention and cash we can get for the info first?

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

iPhone Hulu App: The Next SlingGate?

Next up →

App Review: MLB At Bat 2009 for iPhone

Reader comments

Infamous Safari Security Cracker Finds Vulnerability-ish in iPhone OS?


He's a hacker, most of the rush isn't finding the error first, it's letting everyone know you found it first, right? Also, you're last question asks why hackers don't have morals...really?

His last sentence wasnt funny at all. You just stereotyped all hackers.
Ever heard of ethical hackers?

Ooooh please, stereotyped? Get over yourself. Everyone knows companies often employ hackers and as the article also points out hackers often find holes and point them out to was just a funny statement....calm down.

It is a stereotype. Lots of hackers are white or grey rather than black hats. It's not clear that he shared exploit code, but rather described a method of running shellcode if one were to exploit a separate (as far as we know non-existent) vulnerability. He has notified Apple straight away in the past, I don't see any reason to get all huffy.

I believe with the last two Safari exploits, he didn't notify Apple but waited and used them to win Pwn2Own instead. At least he didn't tell anybody about them, but the fact that he said he has no idea whether Apple knows about this exploit means he likely hasn't told them. Not huffy, just not cool.

I would be way more worried if there were a way to actually use the exploit he's found. As it stands its a theoretical exploit that isn't all that much use. Its like some exploits in the software that I support that came to liht recently. They basically amounted to an elevation of privilee IF you already had physical access to a box on the network already. IOW its less scary than it sounds in both cases. Its like someone sayin - "Haha! I can totally steal your wallet... if you hand it to me and then turn away for 30 minutes while I abscond with it." Just not worth quite the outrae level, IMO.

Get over myself?
For what, being more educated than you?
"Everyone knows companies often employ hackers and as the article also points out hackers often find holes and point them out to companies"
Those are ethical hackers... dont comment if you dont know shit about the subject kid. Thanks!

Kind of. He discovered two exploitable bugs leading up to the first Pwn2Own contest, but, since the rules said you can only win once, he used the first right away and held back the second bug. The next year, Apple still had not fixed that vulnerability -- and nobody else knew about it, since he remained quiet -- so he used it to win the contest again.
As for whether or not he should have told Apple...well, it is a grey area. Certainly, it would be verging on (or perhaps actually is) criminal to release details of a bug or how to exploit it before notifying the vendor, but Miller has never done that. He has just said that there is a vulnerability that could potentially be exploited, and never provided the barest hint of a clue on how it could be done.
At this point, the ball is really in Apple's court to do something about this vulnerability -- track it down themselves, give Miller a call, or ignore him as a crackpot. Given Miller's history, he seems unlikely to be a crackpot, and if Apple wanted to fix it immediately, they would hire him.
But also, given Miller's history of never using an exploit maliciously, Apple seems to be taking the tact nobody else will figure out how to exploit it, and, if they wait a year, they can get the Pwn2Own contest to pay for the legwork and get the details for free in a few months. I happen to agree with Apple the risk of a wild exploit before the next Pwn2Own is very low, but I find their attitude towards security far more disturbing than anything Charlie Miller should or should not be doing.

I think the trouble is people like a puzzle. Just look what happened with domain cache poisoning. Word gets out about an attack, people start discussing it, people stumble upon the method, and suddenly it's in the wild -- and that was even after it was disclosed to vendors.
If Miller wants to set up a paypal donate button to make some cash, I'll gladly click on it. In the meantime, I'd like my iPhone to be as safe as programatically possible, so here's hoping he discloses vulnerabilities to the manufacturers as he finds them, the he can get his fame at white hat conferences presenting on his findings... after they've been patched :-/

I don't think that Miller ever did gain root access with his Pwn2Own hacks. It's hard to do anything malicious on the Mac without root.