A month after first announcing that the iPhone had a serious security flaw in how it handled text messages (and even longer still since it was first brought to Apple’s attention), Charlie Miller at last publicly demonstrated the attack at yesterday’s Black Hat Security Conference, and released a paper detailing how it is executed.

The flaw, which allows a hacker to hijack a phone by flooding it with invisible SMS control messages, isn’t iPhone-specific. Windows Mobile and Android are also vulnerable, though Google patched the hole with its Cupcake update. The flaw is particularly worrisome since the only sign a user would see is a single text message with a lone box-like character. The rest of the control messages would not appear on the handset, but could shut down the phone entirely or even automatically forward the commands to other iPhones creating a vast mobile botnet.

Miller, and his partner Collin Mulliner, demonstrated the attack using an iPhone with OS 2.2.1, but the vulnerability was not patched with the 3.0 update. Technologizer backs up the the pair’s claim, pointing out that the hole was not among the 46 security flaws plugged by the new OS update, and Elinor Mills, of CNET, claims the attack was informally demonstrated on her non-jailbroken iPhone running OS 3.0.

European cellular provider O2 told the BBC that Apple is patching the flaw, and an update should be available this weekend through iTunes, but Apple quickly (and without much fanfare) pushed the update, OS 3.0.1, to iTunes ahead of schedule.

So, no need to panic, the patch is available now through iTunes (better late than never right?) and besides, the exploit is complex enough that it would likely take evildoers weeks to figure out how to leverage it for nefarious purposes. [From: CNET, Business Week, TUAW, and Mashable]