Caught up with the “critical” iPhone vulnerability yet?
SPI is telling iPhone users not to use the feature where you can tap on a phone number and have your phone call someone because an attacker could redirect your call.
In their coverage, Security Mentor says:
That may be overcautious since they don’t report any cases in the wild of bad guys using this bug to attack people.
Let’s say that there are a million iPhone users. Now what is the probable number of people out there that know of this vulnerability and would have intent to use it? How many of them have access to high traffic websites? What’s the probability that an iPhone user would:
- Go to a mal-site, an evil website set up just to make fraudulent charges?
- Click on the phone link?
What’s the impact there in 900 call charges to the iPhone user?
These are all fairly neglible. The real question here?
What’s the value of the iPhone vulnerability press release?
I’d be much more concerned about Sellouts infamous worm.
Tags: iPhone, apple, compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
(via RiskAnalys.is)
July 18, 2007, 10:47am Comments
