Most security researchers thought it wasn’t possible to run shellcode on an iPhone. Shellcode is code that can run from a command line, but the iPhone was thought not to allow it for security reasons. But Charlie Miller recently discovered a way to make it happen.
Miller and some of his colleagues found a vulnerability in the mobile version of the well known web browser Safari that would allow an attacker to control the iPhone. Apple was immediately notified and later issued a patch for the bug.
The significance of Miller’s finding is that it works with unpatched versions of the iPhone as the devices are sold in stores. Researchers have shown a greater ability to manipulate iPhones that are “jailbroken,” the term for phones that have been modified to allow installation of applications not vetted by Apple. Those jailbroken phones have fewer protections on the device’s memory, Miller said.
He also contends that the latest version of the iPhone OS is pretty secure. But now that knowledge of the vulnerability is out there, you can be sure that someone will be trying to find a way to take advantage of it.
