ISE's president, Avi Rubin, defended the decision to announce the existence of the vulnerability prior to a patch being made available by Apple. "Why are we doing that? Well, I believe that there is a social responsibility to report it when a device is vulnerable to attackers," said Rubin on his own blog Sunday. "People buy these things and use them in ways that put their identity and their online accounts at risk, and by exposing these vulnerabilities, we can make users better judges of how to use their high-tech devices." Rubin is familiar to many security observers from his research into problems with electronic voting systems.
The paper by Miller, Honoroff, and Mason also spelled out a number of weaknesses in the iPhone's security architecture, although it didn't specifically pin the vulnerability on any of those flaws. One, however, most likely contributed to the reach of the exploit.
"There are serious problems with the design and implementation of security on the iPhone," the paper said. "The most glaring is that all processes of interest run with administrative privileges. This implies that a compromise of any application gives an attacker full access to the device."
Other deficiencies the trio cited in the iPhone's operating system included not using address randomization -- a technique applied by Windows Vista that's designed to make it tougher for hackers to write reliable attack code -- and allowing code in the heap to execute.
Those last two shortcomings have been criticized in the desktop version of Mac OS X for some time. Three months ago, during the fallout after a hacking contest that jacked a MacBook Pro notebook, HD Moore -- the vulnerability researcher noted for the Metasploit hacking and attack testing software -- took on the claim that Mac OS X is safer than Windows. "The Mac OS X platform is years behind Linux, Windows, and OpenBSD in terms of operating-system security," said Moore then. "All of the above platforms support some form of address randomization (ASLR) and include features that make exploitation slightly more difficult."
The ISE researchers have also posted a short video of their hack in action on YouTube.