The second day of the Pwn2Own competition, organised by the Zero Day Initiative (ZDI) team at security researchers TippingPoint, was devoted to iPhone and BlackBerry. Charlie Miller exploited a vulnerability in the mobile version of the Safari web browser on iOS 4.2.1 to delete the address book when a manipulative website was visited.
However, the first attempt failed when the browser merely crashed. But the second attempt succeeded and earned Mr Miller $15,000 and an iPhone. Miller had help from Dion Blazakis.

To get around data execution prevention (DEP) on the iPhone, Miller used Return-Oriented Programming (ROP), in which no code is placed on the stack; instead, addresses that call existing code fragments are. Miller says his exploit does not, however, work on the recently published iOS version 4.3, where Apple has implemented Address Space Layout Randomization (ASLR) for the first time. Libraries are now loaded to random addresses, thereby preventing ROP from working without further work. However, the vulnerability that Miller exploits remains in iOS 4.3.

The link for this article located at H Security is no longer available.