Part 3:
iPhone Hack Highlights Windows-like Security Risk
The iPhone reportedly contains a serious vulnerability in its Safari Web browser that can hand over control of the device to an attacker if the user browses a poisoned Web site. It's a critical flaw made worse by poor design.
Apple chose to allow everything on the iPhone, including the browser, to run as the same user. It's a common tactic for smartphones, but when Microsoft went that route with XP it had to spend a huge amount of effort trying to fix it with things like UAC in Vista. In an ironic twist, Apple started with a good model in Mac OS X, but ditched it for the iPhone.
Though ISE, the research group that found the flaw, isn't yet providing full details, the description for the iPhone hole sounds much the same as vulnerabilities that have plagued various browsers for years. If an attacker can get you to visit a hacked Web site, by getting you to use a malicious WiFi network or click a link in an e-mail, for example, then attack code on that site can force Safari to execute a command of the attacker's choosing.
That command might be to install a virus, or, as in the demonstration described in a New York Times article, collect personal data and send it back to the attacker.
Microsoft engineers are nodding their heads at that description, because they've been battling similar-sounding flaws in IE for years. Having one pop up for the iPhone only underscores the point that the device really is a handheld computer. And the one great inescapable truth for any computer connected to the Internet is that it's vulnerable to attack.
The sane approach is to try and mitigate the potential damage for when - not if - someone breaks into the computer. One very important part of that damage mitigation is user privileges.
In any operating system, whether it's on a phone or a desktop, all programs run with some sort of user privileges. Microsoft has taken plenty of heat because in the usual XP setup, everything runs with full administrator privileges. Which means that if an attacker managed to break IE (not a difficult thing by any means), they had free reign on your computer, instead of being restricted in what they could access. I wrote about the problem and some software solutions for XP a while back.
Microsoft wised up with Vista, sort of. UAC is annoying as hell, but it's meant to mitigate this access-to-everything user security hole. And Protected Mode for IE 7 cordons off the browser so that if and when it gets hacked, the attacker can't fully run amok.
Apple started with a good user security model, with Mac OS X's unix-like arrangement. And then they scrapped it for the iPhone. According to security vendor Sophos, in the interests of simplicity, Apple made the same mistake that Microsoft has spent so much time trying to fix, and lets everything on the iPhone run as the same user.
So just like with IE on Windows XP, if an attacker busts Safari on the iPhone with this new attack, he can do anything he wants.
In fairness, most (maybe all) PDAs and smartphones are set up the same way to favor simplicity over security, and people might very well get confused if their phone asked them for a password. Also, I sincerely doubt that online attackers will be distracted from their Windows feast long enough to set up actual iPhone attack sites.
But still, when Apple was working on its forward-looking multi-touch display, I wish it would have spent a little time moving security forward as well. I suspect that it will wish the same before too long.
PC World