HD Moore takes iPhone exploits public

Noted hacker HD Moore has publicly posted exploits that take advantage of a vulnerability in Apple's iPhone, the same flaw that's been used by others to unlock the smart phone so it will work on non-AT&T networks.

The vulnerability, which is in the TIFF image-rendering library shared by the iPhone's Safari browser and its e-mail program, as well as by the iTunes software, leaves the iPhone wide open to attack, said Moore, who posted a second, and more robust, exploit today after debuting attack code yesterday.

"This exploit is rock solid," Moore said in an interview. "It's very reliable, as reliable as the WMF [Windows Metafile] exploits in Windows. You can send it in an e-mail, you can embed it in a Web page."

Although the vulnerability is the same as the one leveraged by hackers such as the iPhone Dev Team to return unlock capabilities to iPhones updated to Firmware 1.1.1 last month, Moore said that's the only similarity between his work and the activities of unlockers. "I wanted an exploit that would write any arbitrary payload" to the iPhone, rather than the specialized changes made for an unlocking hack, Moore said.

He claimed success. "The second exploit works on 1.0, 1.0.1, 1.0.2 and 1.1.1 iPhones," he said, referring to the four versions of the phone's firmware released since the device's June debut.