Charlie Miller, who won Pwn2Own 2011 contest by exploiting iPhone 4 security, confirmed through a recent tweet that the iOS 4.3.1 update released yesterday does not fix the Pwn2Own exploit.
Here’s what he has tweeted.
From the tweet:
iOS 4.3.1 does not fix the pwn2own bug. It’s weird they fixed it in the next os x update after the contest, but not the next iPhone update.
More time for the bad guys to get their bindiff->iPhone exploit workflow going.
The attack simply required that the target iPhone surfs to a rigged web site. On first attempt at the drive-by exploit, the iPhone browser crashed but once it was relaunched, Miller was able to hijack the entire address book.
It’s unclear why Apple didn’t fix the widely publicized exploit.