Prev: Clearwire WiMax card (not Clear 4g) and Connectify.me
Next: Special Technology deals from Circuit City and Office MAX ends Feb, 10th
From: John Navas on 2 Feb 2010 23:22
Apple's iPhone is vulnerable to exploits that allow an attacker to spoof
web pages even when they're protected by the SSL, or secure sockets
layer, protocol, a security researcher said.

The fault lies in a feature that makes it easy to configure large
numbers of iPhones so they meet an organization's IT policies, said
Charlie Miller, a researcher at Independent Security Evaluators. Not
only does the provisioning feature work over the internet, it can be
tricked into accepting malicious configuration files.

"If the user accepts, the attacker can make changes to the phone's
configuration which can cause harm," Miller wrote in an email to The
Reg.

The revelation comes after the hack was discussed in an anonymous blog
post over the weekend. It explained how it was possible to sign an
XML-based configuration file using a SSL certificate registered to a
fictitious company called Apple Computer. Because the iPhone checks only
that the certificate was signed by a trusted CA, or certificate
authority, the author's rogue update.mobilconfig file was accepted and
executed.

The author claimed the hack could be used to change an iPhone's proxy
settings, a change that would allow attackers to do much more nefarious
deeds such as funnel traffic to servers under their control. Miller said
he wasn't sure such an attack was possible, but he didn't rule it out,
either.

"It definitely allows them to change the trusted certs which means that
you can't trust SSL anymore," Miller wrote. "I don't have the cert the
guy generated to really confirm things on my own. I'm very confident
that it can do a lot though."

In addition to changing trusted certificates, Miller said, a rogue
configuration file could be used to disable Safari or other iPhone apps
or block access to particular websites that can be accessed.

MORE:
<http://www.theregister.co.uk/2010/02/02/iphone_malicious_config_attack/>
From: Larry on 3 Feb 2010 03:12
John Navas <spamfilter1(a)navasgroup.com> wrote in
news:lbuhm55qbfcjbui59jlla7fa2g08u9o8sp(a)4ax.com:

> Apple's iPhone is vulnerable to exploits that allow an attacker to spoof
> web pages even when they're protected by the SSL, or secure sockets
> layer, protocol, a security researcher said.
>
>

IMPOSSIBLE! Apple products are perfect and "noone has ever had a virus",
some idiot said on here.


--
"iPad is to computing what Etch-A-Sketch is to art!"

Larry

From: George Kerby on 3 Feb 2010 12:42



On 2/3/10 2:12 AM, in article Xns9D1420AFBBBBCnoonehomecom(a)74.209.131.13,
"Larry" <noone(a)home.com> wrote:

> John Navas <spamfilter1(a)navasgroup.com> wrote in
> news:lbuhm55qbfcjbui59jlla7fa2g08u9o8sp(a)4ax.com:
>
>> Apple's iPhone is vulnerable to exploits that allow an attacker to spoof
>> web pages even when they're protected by the SSL, or secure sockets
>> layer, protocol, a security researcher said.
>>
>>
>
> IMPOSSIBLE! Apple products are perfect and "noone has ever had a virus",
> some idiot said on here.
>
You and NavASS need to get a booth at the Waffle House, Lar. You have a LOT
in common.

 | 
Pages: 1
Prev: Clearwire WiMax card (not Clear 4g) and Connectify.me
Next: Special Technology deals from Circuit City and Office MAX ends Feb, 10th