Apple iPhone 2.2 update includes critical security patches

By SearchSecurity.com Staff 21 Nov 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Apple issued version 2.2 of its iPhone firmware, repairing at least a dozen security issues, including dangerous flaws in its Safari browser that attackers can exploit to steal passwords, account information and other sensitive data.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Version 2.2 of the firmware addresses software flaws in both the iPhone and iPod touch. Several issues address problems with the way Safari handles HTML table and iframe elements. An attacker could exploit the flaws to cause a memory corruption and execute arbitrary code, Apple said in its advisory. One of the errors enables an attacker to spoof the user interface, Apple said.

A TIFF image handling error can be exploited by an attacker by tricking the user to view a malicious TIFF image. CoreGraphics contains memory corruption issues resulting in processing errors. An attacker can exploit the issues to pass arbitrary code or conduct a denial-of-service (DDoS) attack Some TIFF imaging errors cause the device to reset, Apple said.

A networking error was also corrected. An error with the default setting reduced the encryption level for point-to-point tunneling protocol (PPTP) and virtual private network (VPN) connections.

SearchSecurity radio:

A flaw in Office Viewer could also be exploited by an attacker by tricking a user into viewing a malicious Microsoft Excel file. "Viewing a maliciously crafted Microsoft Excel file may lead to an unexpected application termination or arbitrary code execution," Apple said.

Several passcode and SMS messaging errors were also addressed, Apple said. The software maker also addressed a bug that allowed a user to dial non-emergency numbers when locked out of the iPhone.

Danish vulnerability clearinghouse Secunia gave the flaws a highly critical rating. It said the flaws "can be exploited by malicious people to bypass certain security restrictions, disclose potential sensitive information, conduct spoofing attacks … or potentially compromise a user's system."

Tags: Handheld and Mobile Device Security Best Practices,  Web Browser Security,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Handheld and Mobile Device Security Best Practices Research Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research Smartphone and PDA Viruses and Threats US-CERT warns of BlackBerry snooping software Mini guide: How to remove and prevent Trojans, malware and spyware SMS attacks against BlackBerry certificate flaw possible MMS messaging spoof hack could have global ramifications Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws Latest Apple iPhone features prompt security concerns SMS mobile worm attacks Symbian smartphones Smartphone security lacking at many businesses RIM warns of serious vulnerability in BlackBerry Web loader

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary browser hijacker  (SearchSecurity.com) cache cramming  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) honey monkey  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) NCSA  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary