A vulnerability affecting iPhones and Mac computers running Safari (not Windows versions of Safari) has been announced by Independent Security Evaluators. The proof of concept has been disclosed to Apple along with a proposed patch.
When the iPhone’s version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker. However, this code could be replaced with code that does anything that the iPhone can do. It could send the user’s mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker.
Sounds like lots of fun. The POC will be demonstrated at Black Hat USA next week in Las Vegas.