The Security Mentor

The phone promptly followed instructions to transmit a set of files to the attacking computer that included recent text messages — including one that had been sent to the reporter’s cellphone moments before — as well as telephone contacts and e-mail addresses.

From the New York Times article about the newest reported iPhone security vulnerability.

Dr. Charles A. Miller, of the firm Independent Security Evaluators, reports that a malicious web page or a WiFi network run by somebody hostile can completely take over an iPhone. Full details haven't been published yet but well-regarded security people have reviewed his findings and say it's for real.

Technical details of the iPhone security vulnerability.

It's hard to protect yourself, but it looks like the good guys found out about this first. Apple's been notified and ought to release a patch soon. iPhone updates will come through iTunes.

Meanwhile do the standard things: stay out of bad neighborhoods on the web and don't click on links if you don't know where they go.

What nobody's saying is that Apple made a bad design decision. Once the bad guys have taken over the browser, they shouldn't have complete run of the machine. But they do. According to the ISE report, the browser is running with the privileges of a system administrator. Apple made a mistake by making that possible. Web browsers are complicated and have to deal with uncontrolled, often hostile input: it's wrong to trust them with the master keys to your computer.

UPDATE 7/26:

There's a video of the iPhone security hole.