The attack simply required that the target iPhone surfs to a rigged web site. On first attempt at the drive-by exploit, the iPhone browser crashed but once it was relaunched, Miller was able to hijack the entire address book.
The interesting thing though is that iPhone 4 running on the recently released iOS 4.3 is safe from this vulnerability, sort of. This is because of ASLR (Address Space Layout Randomization) which Apple has implement in the latest version of iOS. However the exploit exists in iOS 4.3 and will need ASLR to be bypassed (which is much harder to do) in order to inject any code. iOS devices running iOS 4.2.1, and below are vulnerable to this exploit.
In an interview with ZDNet, Miller said:
If you update your iPhone today, the [MobileSafari] vulnerability is still there, but the exploit won’t work. I’d have to bypass DEP and ASLR for this exploit to work.
As of 4.3, because of the new ASLR, it will be much harder.