Apple fixes iPhone SMS flaw

Apple on Friday fixed an SMS-related security flaw in the iPhone that had been at the center of one of the most talked-about exploits at this week's Black Hat security conference.

"We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms," Apple representative Tom Neumayr told CNET.

"This morning, less than 24 hours after a demonstration of this exploit," Neumayr continued, "we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit."

The security flaw involved malicious SMS messages that could allow hackers to take control of an iPhone. The flaw could have let them make calls, send text messages, or almost anything they wanted on the victim's iPhone.

Security researchers Collin Mulliner and Charlie Miller showed the flaw in action at Black Hat earlier this week. Miller said the flaw could take control of the iPhone because of the way the device handled the SMS message. Researchers at Black Hat also showed how SMS-related vulnerabilities can affect Windows Mobile smartphones including those from HTC, Motorola, and Samsung.

Miller said that Apple was first notified of the flaw six weeks ago.

According to Apple, the iPhone 3.0.1 update released today improves the device's memory handling, essentially fixing the exploit.

The update is available by plugging your iPhone into your computer and clicking on the Check for Update button in iTunes.

[myles taylor]

Why isn't Apple perfect!? They are supposed to be! I can't believe there was a flaw in their phone. blah blah blah. <br /><br />I just thought I'd join in the flaming for once.

[YankeePoodle]

If I am not wrong the CNet article yesterday said that Apple knew of this vulnerability 6 weeks ago. The statement of the spokesperson pretends as if they have fixed in 24hrs.

[make_or_break]

Of course the spokesperson did; that's their job...spin doctoring. It's rather convenient that they forget to add in the 'six weeks' part of the equation.

[tyluh]

this is a vulnerability to all phones that can receive SMS messages.

[shycelticwitch]

Can I flame too? LOL. Of course Apple is not perfect, just as dang close as you can get. I am sure sooner or later I may have an issue with one of their products, but not yet after 20 years. Can't argue with a record like that.

[BogusBasin]

14 years. No virus protection. No viruses. Ever.<br /><br />Amen

[kojacked]

BB: Just mental issue, eh?

[Vegaman_Dan]

@BogusBasin: <br /> <br />"14 years. No virus protection. No viruses. Ever." <br /> <br />For your own system that may be the case. But the Apple OS has had its share of exploits. You can easily find them with Google, Bing, or whatever search engine you choose to use.

[monkeyfun14]

@BogusBasin<br /><br />"14 years. No virus protection. No viruses. Ever."<br /><br />Thats odd I was under the impression that you were a 12 year old.

[mclaurin10]

@monkeyfun14<br /><br />If he 12 then your definitely 8. Jesus dude, I come here to read the news and all I see is you flaming the **** out of any article that has to do with apple/Microsoft. Get a life and realize that its a waste of time to flame on this stupid stuff, your not going to change anyones minds by saying "CRapple SUX"

[monkeyfun14]

@mclaurin<br /><br />Find 5 articles of me flaming Apple and not the fanboy above the comment?

[Dalkorian]

Dan's right, no OS is perfectly invulnerable. Keep it updated and keep your head on, there's not only vulnerabilities/exploits for OSX but even a few trojans (yes, OSX aware malware!) in the wild.<br /><br />No viruses and no worms though, you're right there.

[SlimGem]

We all know that a monkey's idea of fun is slinging it's own poop.

[santuccie]

@Dalkorian:<br /><br />As if you haven't already been told, there's no trick to getting a virus to run on any platform it is designed for, because viruses typically work by tricking the user into opening an infected file, such as a PDF document, Word document, or PowerPoint slideshow. The reason they only exist for Windows and PPC Mac is because viruses are NOT profit driven; they are targeted, generally at politicians and high-profile clergymen, practically all of whom run Windows. As far as worms go, you're mistaken. In fact, the very first malware written for Intel Mac in 2006 was a worm, called Leap A.<br /><br />That said, still waiting for Apple to patch this one: http://www.intego.com/news/ism0905.asp<br /><br />Thankfully, the abundance of vulnerable PCs running Windows XP keeps most hackers preoccupied. But since iBotnet surfaced, it has been known that criminals are now starting to take a serious look at Mac OS X, which now owns almost 10% of the global OS market. Just like it took 2-3 years following the release of XP and IE6 for the first drive-by downloads to emerge, it will probably be at least a year or two before bot herders in Russia and China are familiar enough with your platform to develop a working exploit. But since 2007, it has been brought to their attention that this will be far easier than exploiting a Vista machine, which they have been failing to infiltrate for three years now.<br /><br />In 2007, CanSecWest started holding an annual contest called Pwn2Own, in which security researchers can win money and notebook computers for successful exploits. On day 1, people attempt to penetrate the firewall by exploiting bugs in the OS itself; so far, no one has succeeded on any platform. On day 2, people attempt to exploit preinstalled browsers (IE on Windows, Firefox on Ubuntu, and Safari on OS X). On day 3, people can exploit popular third-party software, such as Java and Adobe Flash.<br /><br />Every year on day 2, OS X has been the first to go down. In 2008 (I believe), Shane Macaulay managed to exploit Vista through Adobe Flash on day 3. And this year, an anonymous hacker known only as "Nils" managed to exploit Safari, IE, and Firefox. I can't verify whether Firefox was exploited on OS X or Windows 7 beta, but it should be noted that this was before Microsoft introduced a new technology to Windows 7 called "Safe Unlinking." And more importantly, all security researchers agree unanimously that OS X is "easy pickings," while Vista and Windows 7 are far more difficult to exploit (even without UAC enabled). There is also speculation that, if Windows 7 eats away too much of XP's market share, criminals will most likely begin to focus on the OS X, which has the added disadvantage of a very low percentage of users running security software.<br /><br />http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html<br />http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/<br />http://blogs.zdnet.com/security/?p=2917<br />http://it.toolbox.com/blogs/securitymonkey/mac-os-x-local-user-exploit-appears-12026<br />http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW<br />http://blogs.computerworld.com/why_windows_is_safer_than_the_mac<br />http://blogs.zdnet.com/hardware/?p=533&#38;tag=rbxccnbzd1<br /><br />Now, show me a link that says OS X is more secure than Vista or Windows 7. Bet you can't! Sorry to bust your bubble, but science trumps religion this time.

[FreddieT]

I wonder what else, if any, is included in OS 3.0.1?

[Perry_Clease]

Maybe the MMS feature we have been promised

[BogusBasin]

MMS. Don't get me started. The iPhone is ready. ATT is the holdup. As soon as I have a choice, I will dump ATT post haste.<br /><br />Amen

[Dust_Puppy]

Apple Hacks the USB ID to say it's a palm device so it can sync with Palm Desktop.<br /><br />ooooh baby, I've been waiting to integrate with that gem of a piece of software :D

[SeizeCTRL]

I can't wait for the MMS commercial! It will be spectacular because when you watch it, you will think that Apple invented MMS and it will be the first phone in the history of phones capable of MMS, just like copy/paste and shooting video :D

[Vegaman_Dan]

@Dust_Puppy: <br /> <br />I don't know... I would actually be happy if I could get notes to synch from the iPhone/Touch to iTunes/Mail like you could do so easily on the Palm OS.

[cvaldes1831]

Hey, I'll get in on the action as well.<br /><br />Does this update add GV Mobile and VoiceCentral back to the App Store?

[Perry_Clease]

I am downloading it now, 230MB

[shellcodes_coder]

LOL

[jakemochas]

now you can have something the size of XP in the palm of your hand haha

[Vegaman_Dan]

While it's good to get the thing patched, the timing is suspect. If they knew about this issue six weeks ago, but only release a patch within 24 hours *after* the flaw is revealed publically, then why wasn't it issued earlier? Did it really take them six weeks and 12 hours to get it ready and the timing of this was just a coincidence, or did the publication of the flaw force their hand in this? <br /> <br />How many more flaws are they sitting on hoping nobody notices? <br /> <br />This is true of Apple, Microsoft, and others. No company wants to admit to a flaw in the product, but the timing is a bit suspicious.

[baconstang]

Right , because, as we all know, Apple has always had a problem with soooooo many vulnerabilities. Why, I'm lucky to get this post up before my iMac freezes for the ummm, first time.

[BogusBasin]

That's the real problem. Some people are unable to grasp real world performance. Technically, DSL is supposed to be faster than cable. The reason why can be argued with science and numbers. But in the end, cable internet's real world performance, in my area, is better than DSL. It goes down less often. It just works. Same thing with viruses on Mac OSX. Who cares? Maybe there are thousands of them out there. Maybe it is as susceptible as Windoze. Doesn't matter. The fact that I have NEVER seen ANY Mac with a virus EVER is the real world fact. How many PCs have I seen with a virus? A far greater number than would be expected given their market share advantage. That's reality. Put it in your pipe and smoke it.<br /><br />Amen

[Vegaman_Dan]

@BogusBasin: <br /> <br />"The fact that I have NEVER seen ANY Mac with a virus EVER is the real world fact. " <br /> <br />I can honestly say that in the 20+ years I've been in the industry, I have never seen a virus on any of my Windows systems either. <br /> <br />That's reality. You may want to take yours out of your pipe to make room for it.

[monkeyfun14]

@BogusBasin<br /><br />And I sat here thinking you were going to make a troll free post for once guess not.

[The_happy_switcher]

Vegaman once again on the case looking for that cover up. Good to see you're on the case Sherlock, let me know what you find. Conspiracy nuts rejoice.<br /><br />Btw, what do you suppose happened to Applerocks1963?

[monkeyfun14]

You tell us he was gone before you showed up

[make_or_break]

The power of being embarrassed in public; that gets my vote as to why they reacted so quickly after the fact. Nothing like being the company that jabs at their biggest competitor's flaws, then to have their own big nasty one slammed right back in their face with their big, market-dominating product.

[The_happy_switcher]

"You tell us he was gone before you showed up" I'm surprised you and the other apes on this board have never figured it out. LOL

[santuccie]

@BogusBasin:<br /><br />Still waiting for Apple to patch this one: http://www.intego.com/news/ism0905.asp<br /><br />Thankfully, the abundance of vulnerable PCs running Windows XP keeps most hackers preoccupied. But since iBotnet surfaced, it has been known that criminals are now starting to take a serious look at Mac OS X, which now owns almost 10% of the global OS market. Just like it took 2-3 years following the release of XP and IE6 for the first drive-by downloads to emerge, it will probably be at least a year or two before bot herders in Russia and China are familiar enough with your platform to develop a working exploit. But since 2007, it has been brought to their attention that this will be far easier than exploiting a Vista machine, which they have been failing to infiltrate for three years now.<br /><br />In 2007, CanSecWest started holding an annual contest called Pwn2Own, in which security researchers can win money and notebook computers for successful exploits. On day 1, people attempt to penetrate the firewall by exploiting bugs in the OS itself; so far, no one has succeeded on any platform. On day 2, people attempt to exploit preinstalled browsers (IE on Windows, Firefox on Ubuntu, and Safari on OS X). On day 3, people can exploit popular third-party software, such as Java and Adobe Flash.<br /><br />Every year on day 2, OS X has been the first to go down. In 2008 (I believe), Shane Macaulay managed to exploit Vista through Adobe Flash on day 3. And this year, an anonymous hacker known only as "Nils" managed to exploit Safari, IE, and Firefox. I can't verify whether Firefox was exploited on OS X or Windows 7 beta, but it should be noted that this was before Microsoft introduced a new technology to Windows 7 called "Safe Unlinking." And more importantly, all security researchers agree unanimously that OS X is "easy pickings," while Vista and Windows 7 are far more difficult to exploit (even without UAC enabled). There is also speculation that, if Windows 7 eats away too much of XP's market share, criminals will most likely begin to focus on the OS X, which has the added disadvantage of a very low percentage of users running security software.<br /><br />http://securitywatch.eweek.com/apple/mac_hacked_via_safari_browser_in_pwn2own_contest.html<br />http://www.darknet.org.uk/2008/03/mac-owned-on-2nd-day-of-pwn2own-hack-contest/<br />http://blogs.zdnet.com/security/?p=2917<br />http://it.toolbox.com/blogs/securitymonkey/mac-os-x-local-user-exploit-appears-12026<br />http://www.linuxtoday.com/news_story.php3?ltsn=2009-04-17-030-35-SC-SW<br />http://blogs.computerworld.com/why_windows_is_safer_than_the_mac<br />http://blogs.zdnet.com/hardware/?p=533&#38;tag=rbxccnbzd1<br /><br />Now, show me a link that says OS X is more secure than Vista or Windows 7. Bet you can't!

[SeizeCTRL]

So what took so long? They try to play it off like ooooh check out how fast we are with this patch, 24 hours blah blah blah! You were notified over a month ago!!! Why wait until the exploit is demonstrated before you release a fix? <br /><br />OOOH! I know why, because Apple was too busy rejecting Google apps like Latitude and Google Voice!

[Perry_Clease]

You really do need to seize control of yourself.

[SeizeCTRL]

Oh Perry you silly billy you... everyone here knows that you are the epitome of an Apple Fanboy... so your opinions will always be clouded by all the koolaid you drink. You will never see Apple in a negative aspect. But think about it. Apple is alerted to a security vulnerability 6 weeks ago. Nothing is done, no updates, nothing. Sure, someone might have began working on it... but the timing of the release has to be questionable. I'm sure you will see it as nothing more than coincidence that Apple releases the patch within a day that vulnerability is disclosed. I'm guessing though that you probably believe that Apple programmers stayed up all night drinking Red Bull and eating organic salads to come up with a fix. The reality is they were probably working on it for some time. I'm surprised that Apple didn't send in it's army of lawyers to prevent the disclosure.<br /><br />So before I go and um, seize control of myself, what are you views on Apple rejecting Google apps? Thank the stars that the FCC is starting to question Apple on this!

[baconstang]

The article I read this morning in the SFGate said windows Mobile devices were vulnerable too. Has MS fixed their hole?

[ballmerisanape]

They don't have to... security through obscurity ;)

[monkeyfun14]

And it also said it was caused by OEM's and not Windows Mobile itself nice reading what you want to read and ignoring other details.

[baconstang]

Read it yourself. <br />http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/07/30/BUFC191NCG.DTL

[baconstang]

and here... <br />http://news.cnet.com/8301-27080_3-10300536-245.html?tag=mncol;mlt_related

[lkrupp]

by YankeePoodle July 31, 2009 2:43 PM PDT<br />If I am not wrong the CNet article yesterday said that Apple knew of this vulnerability 6 weeks ago. The statement of the spokesperson pretends as if they have fixed in 24hrs.<br /><br />The C|net article says no such thing. It states that Charlie Miller SAID he told Apple about it six weeks ago. Charlie Miller is an egomaniac who has lied in the past about his activities. He has trumped up claims about his prowess in discovering past issues. So who's pretending? Miller has the history and the motive to lie about his claim here too. You hate Apple so you choose to believe Miller. It's that simple.

[make_or_break]

And you love Apple so much that you refuse to see ANY doubters and naysayers as nothing more than immature, maniacal idiots looking at tarnishing your beloved temple of technology? So, do you care to explain why your view is any better?<br /><br />Until Apple flat out denies that they were informed six weeks ago, then there's NOTHING to the contrary that says Miller is lying. Except you, that is.<br /><br />And who are you, again?

[DrtyDogg]

@lkrupp: Read it again, "This morning, less than 24 hours after a demonstration of this exploit" The wording is not contradictory to what Charlie Miller said. Remember one of Apple's PR people wrote the statement notice the 24 hours after a "DEMONSTRATION" of this exploit. More likely 24 hours after fielding a lot of calls from reporters as to why this isn't fixed yet.

[pacifickanaan]

Anyone here fix the iPhone issue before Apple (and made sure it works well for general distribution) please stand up... <br /><br />I'm just saying that unless you yourself came up with a fix before those guys in Cupertino, how can you even imply that they should have come up with a fix sooner? I'm no programmer but I would think I would need to know the problem, come up with a solution and test it repeatedly with various (ultimately infinite) scenarios to make sure it didn't conflict with the thousands of other apps out there. <br /><br />And if Apple released an update that fixed the security but produced other failures, do you know what a bigger headache that would be for the spokesperson?<br /><br />I'm in marketing. There are often many solutions to one problem. Coming up with the right one that doesn't incite a customer backlash is a bit harder to find. And sometimes you can never clean up a PR nightmare because a correct solution wasn't necessarily the right one. Perhaps the Vista people can attest to the difficulties of trying to change people's perceptions.<br /><br />I think Apple took the time to make sure they're sending out the right update. Do you know it sometimes takes weeks for our client to approve a single banner ad concept? I think, given that the six weeks they took for a fix didn't cause WW III, what's the big deal? <br /><br />It's funny to see how people are railing against Apple for not fixing this sooner or for spinning it to their advantage. The comments on this thread are because of a FIX to a problem! Can you just imagine what people here would be saying if Apple did something really bad like NOT fix the problem at all? You can't make everyone happy, I suppose.

[shellcodes_coder]

So the world's most advanced patch for the world's most advanced phone that can be hijacked via SMS has been released. What's the size of that patch? 1 GB?

[ikramerica--2008]

Nearly 300MB. And it took forever to install, as it was a MAJOR patch, including firmware and OS update.<br /><br />This was not a minor change it would seem, but something that they had been working on for more than a day. Let's hope they didn't "rush" out the fix because of the Black Hat jerks who take joy in showing exploits before they can be fixed, temporarily exposing far more people to a hack than otherwise would have been before the fix arrived.<br /><br />As this "researcher" said, he had notified Apple, and Apple was obviously working on it, but it was something they couldn't include in the original 3.0 OS despite knowing about it before 3.0 was released. That means it was hard to fix.

[DrtyDogg]

lol keep telling yourself that. Apple appreciates you sticking up for them, and for your hard work they want to reward you with an oportunity to buy some more BS. Go to www.apple.com to claim your reward.

[DaiVietSuKy]

Piece of turd failed to update. Had to restore my phone. I'm bringing it back to ATT if the 2nd time fails. This would be the last piece from Apple from me. No more!

[shellcodes_coder]

Good decision

[svgtom]

"we've issued a free software update that eliminates the vulnerability from the iPhone" <br /> <br />Well gee, that's generous of them. Would the alternative have been for people to pay for a fix to a security issue?

[ikramerica--2008]

You are aware that MANY cell phones over the years have a FOR A FEE firmware update program, even if it does fix a vulnerability or flaw in the phone. You have to pay for an installer and then the firmware itself, or pay your provider to install it.<br /><br />So yes, considering the scumbags in the market, it is "generous" of Apple to offer free fixes. I think all fixes should be free, and so does Apple. Yet you still lambaste them for it...

[svgtom]

@ikramerica <br /> <br />I am not aware of any that charge a fee for security updates. Please list those that do, as I will avoid them in the future and advise others to do the same. I can't believe that anyone who charges a fee to fix a security issue would still be in business.

[ifij775]

That was quick, but did they ever fix the general memory leak issues? I have been fighting that since the first SDK?<br /><br />Chris<br />http://worstiphoneapps.blogspot.com

[AppleSuxLeo]

The "patch" is probably as secure as Swill Cheese LOL

[tyluh]

this is a vulnerability to any phone that can receive SMS messages

[erikbock]

I am curious if this is also going to "Fix" the tethering hack.

[fshea]

3.01 Sucks Big Time with GPS <br /> <br />I have ViewTi Golf &#38; Golfshot GPS on my iPhone 3G. <br /> <br />After doing the upgrade on Saturday I went out and played a round of Golf this morning. <br /> <br />I stared with Golfshot GPS and the phone kept going to the black screen with the Apple on it. I had to reset it 4 times by the 3rd hole. I gave up on it and tried ViewTi Golf. Not nearly as good of a GPS app but it was the one I bought first. <br />This app made it through 2 holes before giving me the same experience. I finally got the phone to start and turned off GPS and the phone has been fine the rest of the day. <br /> <br />Way to go you Slack ass developers at APPLE. Wait until the 13th hour and put out an untested POS firmware update. <br /> <br />So now you have to decide update your phone to be safe or have it cripple your phone. <br /> <br />I've got a buddy that has not done the upgrade and both Apps worked great as they had on mine in the past (less the lousy batter the iPhone has).