Apple patches 10 iPhone flaws

Apple today released 10 iPhone security updates, including 7 within the MobileSafari browser. The update is available only through iTunes and is not available from the Apple Downloads page. The version users should see within their iPhone after applying this update should be 1.1.1 (3A109a). Further, Apple refuses to discuss pending security vulnerabilities not patched here, stating "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

Bluetooth
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3753. By sending maliciously crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker within range may be able to trigger the issue, which may in turn lead to unexpected application termination or arbitrary code execution. Apple credits Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this vulnerabliity.

Mail man-in-the-middle attack
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3754. When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted and could lead to a man-in-the-middle attack.

Mail telephone link
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3755. "By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation." Apple credits Andi Baritchi of McAfee for reporting this vulnerability.

Safari 1
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3756. "A design issue in Safari allows a Web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted Web page, an attacker may be able to obtain the URL of an unrelated page." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.

Safari 2
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3757. "Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation." Apple credits Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.

Safari 3
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3758. "A cross-site scripting vulnerability exists in Safari that allows malicious Web sites to set JavaScript window properties of Web sites served from a different domain. By enticing a user to visit a maliciously crafted Web site, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other Web sites." Apple credits Michal Zalewski of Google for reporting this issue.

Safari 4
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3759. "Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not."

Safari 5
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3760. "A cross-site scripting issue in Safari allows a maliciously crafted Web site to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.

Safari 6
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3761. "A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of another site."

Safari 7
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-4671. "An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of HTTPS Web pages in that domain." Apple credits Keigo Yamazaki of Little Earth Corporation for reporting this issue.

[SecurityExpertMan]

Apple's habit...

...of just throwing a product out there without adequately pre-
testing for security issues is intolerable. For all these security
issues found by the good guys, there are 10 more found by the
bad guys that we hear nothing about and gets sold to the highest
bidder.

Apple's software products used to be the best in security and
privacy, but not anymore. Take EFI for instance.

[rcrusoe]

Apple's habit of just throwing a product out there

I agree, it is totally unacceptable.

They should wait until the product is 100% ready for the marketplace with all possible security flaws fully closed - like Microsoft Vista.

[dotmike]

Is there evidence it wasn't pre-tested?

Hacks are possible into anything. Even the best lock in the world
can be drilled.

I'm sure Apple did test, but the mathematics of security
vulnerabilities suggests the odds of finding every possible
combination within a given period of time are against it.

It's important that issues are patched as they are discovered and
before they are widely exploited, and Apple appears to be doing
that.

Besides, most of the exploits seem to rely on "enticing a user to
visit a maliciously crafted Web page."

As the doctor with the "it hurts when I do this" patient said,
"don't do that."

[Rick Cavaretti]

Ditto here RCrusoe

Great 'thinly veiled' post with a great punch line at the end. I too
almost lost my coffee across my keyboard.

[Rick Cavaretti]

Woops. One more thing

Hit the button too soon. Other sites are reporting this story in a
different slant. Apparently, this update shuts down all of the
hacked iPhones and limits them to the ATT network. Almost no
mention of the other issues.

[ferretboy88]

What Apple is not open source?

Apple only wants you to use the lame AT and T crap network. People talk about mircosoft and how greedy they are but Steve Jobs has 6 Billion and he sure is a real greedy pig also.

[mastercko]

the bigger issue (to me)...

...isn't the fact that they're releasing a patch (that's normal, whatever).

It's this:

Further, Apple refuses to discuss pending security vulnerabilities not patched here, stating "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

guh? "We won't talk about it till we fix it?" Security through obfuscation? Isn't that attitude like the exact OPPOSITE of the computer security community at large? Gotta love the walled garden.

[Lee in San Diego]

Sure

They should publish details about vulnerabilities. /snark

[sirjigster]

horizontal keyboard for texting?

where is the horizontal keyboard for texting? why not try to add a
copy and paste feature? where is the MMS texting? like other
people have said they are just trying to relock the phones for the
users who have t-mobile.