Per a report issued by browser vulnerability researcher Aviv Raff, security vulnerabilities in the iPhone's Safari web browser and e-mail application can by used by phishers to trick users into visiting malicious web sites or expose them to a flood of junk mail.

According to Macworld UK, the researcher reported three separate bugs to Apple about two weeks ago; two in the Mail program and one in the Safari browser.

Apple has apparently acknowledged that the two vulnerabilities in Mail are security issues, though the company seems undecided as to whether the Safari flaw meets its security bug criteria, according to Raff. At times, Apple has balked at labeling problems as security vulnerabilities, notably in May when it initially said the so-called "carpet bomb" bug was not security related. A month later, Apple did patch Safari to stymie the kind of attacks that Raff, and other researchers, had outlined.

"By creating a specially-crafted URL, and sending it via an email [message], an attacker can convince the user that the spoofed URL, showed in the Mail application, is from a trusted domain, such as a bank, PayPal or social networks," Raff said in a post to his blog Wednesday afternoon. "When clicking on the URL, the Safari browser will be opened [and] the spoofed URL, showed in the address bar, will still be viewed by the victim as if it is of a trusted domain."

In lieu of available patches for the issues, Raff urged users to refrain from following web links embedded in messages. The researcher then went on to recommend that users stop using the iPhone's e-mail application entirely if they wanted to avoid spam e-mail.

Raff was hesitant to talk about the technical details of any of the three bugs in a follow-up interview, saying that he would not disclose any specifics until Apple patches the problems. When asked whether the spoofing flaws in Mail and Safari might be somehow related to protocol handler issues - a common source of bugs in browsers for more than a year now - Raff at first said, "No, nothing to do with protocol handling." However, moments later he added: "Hmmm. Let me rephrase it. Almost nothing to do with protocol handling."

Raff then commented that the spam-related flaw in Mail is a "very basic design flaw," Raff refusing to provide additional details as to the issue.

Raff then went on to cite that versions 1.1.4 and the recently-released version 2.0 of the iPhone firmware had created the three bugs, which had been patched in a brawnier version of Mail for Mac OS X.

Apple has yet to comment on Raff's reports.

If you've seen these bugs emerge or have thoughts on this issue, let us know over in the comments or forums.