Apple patches multiple iPhone flaws

Apple's firmware update Thursday addressed a series of flaws in the iPhone while delivering a little payback to those with unlocked iPhones.

Apple released a security update Thursday to address a series of flaws attackers could exploit to launch malicious code, trigger a denial-of-service or access sensitive information. In what some consider payback on Apple's part against the hacking community, the update renders most unlocked iPhones temporarily useless.

The iPhone 1.1.1 update fixes the following problems:

An input validation issue in the iPhone's Bluetooth server. By sending maliciously-crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker may trigger the issue, which may lead to unexpected application termination or arbitrary code execution, Apple said. The update fixes the issue by performing additional validation of SDP packets.

When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. "An attacker capable of intercepting the connection may be able to impersonate the user's mail server and obtain the user's email credentials or other sensitive information," Apple said. "This update addresses the issue by properly warning when the identity of the remote mail server has changed."

Mail supports telephone ("tel:") links to dial phone numbers. By enticing a user to follow a telephone link in a mail message, Apple said, an attacker can cause iPhone to place a call without user confirmation. The update addresses the issue by providing a confirmation window before dialing a phone number via a telephone link in Mail.

A design issue in Safari allows a Web page to read the URL that is currently being viewed in its parent window. "By enticing a user to visit a maliciously crafted Web page, an attacker may be able to obtain the URL of an unrelated page," Apple said. "This update addresses the issue through an improved cross-domain security check."

Apple iPhone security:
Are iPhone security risks different than those of other mobile devices? The security risks of an iPhone are comparable to other wireless devices, but the iPhone does bring some special issues that are a cause for concern.

iPhone shellcode hits the Web: Metasploit creator HD Moore has published shellcode for Apple's iPhone, turning the device into a pocket-sized attack platform.

iPhone not ready for the enterprise: While the Apple iPhone won't be the first choice of many enterprises, a group of industry analysts say it could have a positive impact on future devices.

Apple iPhone to provoke complex mobile attacks, expert warns: Mikko Hypponen, director of antivirus research at F-Secure Corp., said he expects mobile malware attacks to escalate thanks to interest in Apple's iPhone.

Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Apple said, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation. This update addresses the issue by properly displaying the number that will be dialed and requiring confirmation for telephone links.

A cross-site scripting vulnerability exists in Safari that allows malicious Web sites to set JavaScript window properties of Web sites served from a different domain. "By enticing a user to visit a maliciously crafted Web site, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other Web sites," Apple said. "This update addresses the issue by providing improved access controls on these properties."

Safari can be configured to enable or disable JavaScript. "This preference does not take effect until the next time Safari is restarted," Apple said. "This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not. This update addresses the issue by applying the new preference prior to loading new Web pages."

A cross-site scripting issue in Safari allows a maliciously crafted Web site to bypass the same-origin policy using "frame" tags. "By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site," Apple said. "This update addresses the issue by disallowing JavaScript as an 'iframe' source, and limiting JavaScript in frame tags to the same access as the site from which it was served.

A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted Web page, Apple said, an attacker may cause the execution of JavaScript in the context of another site. The update addresses the issue by associating JavaScript events to the correct source frame.

An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of HTTPS Web pages in that domain. This update addresses the issue by limiting access between JavaScript executing in HTTP and HTTPS frames, Apple said.

The security update blocks some iPhones that have been unlocked. Before the update downloads, Apple warns iPhone owners with a message: "Warning: Apple has discovered that some of the unauthorized unlocking programs available on the Internet may cause irreparable damage to the iPhone's software," the message read. "If you have modified your iPhone's software, applying this software update may result in your iPhone becoming permanently inoperable."

Dig deeper on Handheld and Mobile Device Security Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close