Apple fixes iPhone call-hijack flaw

Version 2.2 of the iPhone firmware addresses 12 security flaws, one of which could let users be tricked into visiting websites that initiate unstoppable, premium-rate calls

A serious security vulnerability has been discovered in the iPhone, but Apple said it has fixed the flaw in its latest firmware update for the handset.

On Thursday, the Fraunhofer Institute for Secure Information Technology (SIT) in Germany announced the flaw's discovery. The vulnerability could allow users to be tricked, via a link in an email, into opening webpages which then take over the iPhone's dialling capabilities, potentially calling a premium-rate number with the user being unable to stop the call.

"Today we published a small security bug present in the iPhone OS until version 2.1," wrote Fraunhofer SIT researcher Collin Mulliner on his blog on Thursday. "The bug is small but has [a] big impact in the way that it can be used to call arbitrary phone numbers from visiting a website."

On Friday, Apple released version 2.2 of the iPhone firmware. One of the security enhancements in the update, bearing the ID CVE-2008-4233, was aimed at stopping the flaw uncovered by Mulliner.

Apple described the bug thus: "If an application is launched via Safari while a call-approval dialogue is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be possible for a maliciously crafted website to block the user's ability to cancel dialling for a short period of time."

"This update addresses the issue by properly dismissing Safari's call-approval dialogue when an application is being launched via Safari," the security note read. "Credit to Collin Mulliner of Fraunhofer SIT for reporting this issue."

All in all, Apple addressed 12 vulnerabilities in version 2.2 of the iPhone firmware. Some of the flaws concerned the possibility of users being tricked into opening "maliciously crafted" Tiff or Excel files.

Another fix addressed the realisation by Apple that "the encryption level for PPTP VPN connections may be lower than expected", while one fix restricted emergency calls to a limited set of phone numbers — prior to that particular fix, an emergency call could be made to any number despite the device being locked.

The firmware update also included new features, such as the addition of Google Street View.