Apple iPhone 2.2 update includes critical security patches

Article

Apple iPhone 2.2 update includes critical security patches

Apple issued version 2.2 of its iPhone firmware, repairing at least a dozen security issues, including dangerous flaws in its Safari browser that attackers can exploit to steal passwords, account information and other sensitive data.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Version 2.2 of the firmware addresses software flaws in both the iPhone and iPod touch. Several issues address problems with the way Safari handles HTML table and iframe elements. An attacker could exploit the flaws to cause a memory corruption and execute arbitrary code, Apple said in its advisory. One of the errors enables an attacker to spoof the user interface, Apple said.

A TIFF image handling error can be exploited by an attacker by tricking the user to view a malicious TIFF image. CoreGraphics contains memory corruption issues resulting in processing errors. An attacker can exploit the issues to pass arbitrary code or conduct a denial-of-service (DDoS) attack Some TIFF imaging errors cause the device to reset, Apple said.

A networking error was also corrected. An error with the default setting reduced the encryption level for point-to-point tunneling protocol (PPTP) and virtual private network (VPN) connections.

SearchSecurity radio:

A flaw in Office Viewer could also be exploited by an attacker by tricking a user into viewing a malicious Microsoft Excel file. "Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution," Apple said.

Several passcode and SMS messaging errors were also addressed, Apple said. The software maker also addressed a bug that allowed a user to dial non-emergency numbers when locked out of the iPhone.

Danish vulnerability clearinghouse Secunia gave the flaws a highly critical rating. It said the flaws "can be exploited by malicious people to bypass certain security restrictions, disclose potential sensitive information, conduct spoofing attacks … or potentially compromise a user's system."