The Fraunhofer Institute for Secure Information's official release describes an attack which, after fooling users into visiting a maliciously crafted website, automatically kicks the phone into its dialer and composes a number without a chance to interrupt.
The trick theoretically allows the site owner to set up a 900 number or other calling destination that costs money or otherwise causes a problem.
Fraunhofer's Collin Mulliner notes that the exploit only requires three lines of code and is simple enough that anyone with "basic HTML knowledge" could add the formatting to a page and trigger the compromise.
While dangerous, the exploit was demonstrated to Apple a month ago with an understanding that it would be fixed soon.
The security experts, however, have also revealed that the necessary patch will surface in upcoming firmware from Apple -- code which Fraunhofer claims is due on November 21st.
Although the chance exists that the update in question is a minor maintenance update, the announcement comes just as Apple is generally believed to be wrapping up development of its major iPhone 2.2 upgrade, prompting speculation that the security fix is being rolled into the larger revision and is on the verge of being released.
After converting version 2.1 into a primarily bug-focused update, the electronics giant is known to be using 2.2 as a vehicle for several important feature requests. Among these will be a complete Google Maps refresh with Street View and non-driving directions, the ability to download podcasts over the air, an altered Safari and App Store client, and emoji icons for Japanese cellphone owners that often depend on them for text messaging.