With the large number of web applications for the iPhone, Apple lists more than 600, the Mobile Safari browser plays a large role. Recently a Denial of Service(DoS) vulnerability was discovered in iPhone’s web browser.
The researchers who found the vulnerability were looking for a method to unlock the filesystem on iPhones with the latest firmware(1.1.3). Unlocking the filesystem allows the installing of custom ringtones and 3rd party applications. With the last firmware version you could automatically unlock your iPhone by visiting a particular website with the Mobile Safari browser.
The DoS exploit can be triggered by visiting the proof of concept page and clicking on one button.
Once it’s clicked a warning will pop up and the exploit code will run.
The iPhone will then become unresponsive, touching the screen or pressing the Home button will have no effect. Under a minute later, the iPhone will reboot.
The DoS bug exploit is partially based on JavaScript code from the Month of Browser Bugs(MOBB). During the MOBB, which we’ve covered previously, a group of security researchers released an exploit for a web browser vulnerability every single day. While the original exploit was targeted at desktop browsers, the modified version simply attempts to fill memory and crash the phone.
Fortunately because the researchers did not have enough time or possibly any inclination, they have not produced a more troublesome exploit. The bug will only prevent you from using the iPhone temporarily and doesn’t steal your data or permanently damage the phone.
While the proof of concept site requires you to press “Go!” before it runs the exploit, a more malicious site could run the code without permission.
It’s possible to avoid the DoS vulnerability, at the cost of not being able to access certain web applications. JavaScript can be disabled by going to Home > Settings > Safari.
Apple also provides details on other settings(cookies,plug ins, cache) that can be changed.