iPhone denial of service vulnerability discovered by McAfee (finally)

One of the McAfee Avert Labs bloggers Jimmy Shah has "found" the Denial of Service vulnerability in iPhones Safari browser that we first reported on over two weeks ago here on iPhone World.

"The researchers who found the vulnerability were looking for a method to unlock the file system on iPhones with the latest firmware (1.1.3). Unlocking the file system allows the installing of custom ringtones and third party applications. With the last firmware version you could automatically unlock your iPhone by visiting a particular website with the Mobile Safari browser," he wrote.



The DoS vulnerability can be exploited by visiting the proof of concept page and clicking a button that will launch a warning and the exploit code will run. The iPhone is then unresponsive before rebooting a less than a minute later, he said.

"The DoS bug exploit is partially based on JavaScript code from the Month of Browser Bugs(MOBB). During the MOBB a group of security researchers released an exploit for web browser vulnerability every single day. While the original exploit was targeted at desktop browsers, the modified version simply attempts to fill memory and crash the phone," he wrote. The bug will only prevent you from using the iPhone temporarily and doesn't steal data or permanently damage the iPhone. The proof of concept requires user interaction, by pressing the "Go" button that appears, but "a more malicious site could run the code without permission," he noted.

You can avoid such DoS vulnerability by disabling JavaScript by going to Home>Settings>Safari. However you won’t be able to access certain web applications.

This, of course shows how slow the security firms are to respond to already discovered threats. While our original story on the topic was picked up by Wired, Engadget, and The Register among others, it took McAffee a few more weeks to "discover" the threeat.