Slashdot Mirror
Apple iPhone v1.0.1 Update Now Available
The Webguy writes "Apple has released the first update for the iPhone. Updated components in the v1.0.1 update include Safari, the WebCore, and the WebKit. Quoting from the Apple Knowledge Base, the 'update is only available through iTunes, and will not appear in your computer's Software Update application, or on the Apple Support Downloads site.'" One source speculated that Apple wanted to get fixes in users' hands ahead of the Black Hat conference where details of early iPhone vulnerabilities could be revealed.
it would let me bookmark a Google Maps location.
I just plugged my iphone in as soon as I saw this story and I dont see any update 1.01...
iPhone v1.0.1 Update
Safari
CVE-ID: CVE-2007-2400
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site scripting
Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
Safari
CVE-ID: CVE-2007-3944
Available for: iPhone v1.0
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
WebCore
CVE-ID: CVE-2007-2401
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
WebKit
CVE-ID: CVE-2007-3742
Available for: iPhone v1.0
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
WebKit
CVE-ID: CVE-2007-2399
Available for: iPhone v1.0
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
Don't blame me, I voted for Baltar.
I was thinking about taking your mother to the monster truck show, but now, I have second thoughts. Chances would be high for her to throw her iPhone at the monster truck as an offering since you have said this.
Ok I have it now, but rather worryingly, half way through installation the process has stalled and my phone is currently ibricked :(
I'm writing this message from my iPhone and haven't noticed any problems at ~£]+~}2(&"@NO CARRIER
It's in the IT section, too, moron.
The Farewell Tour II
You must be new here...
I'm expecting a fifteen page writeup on why these issues are not that big of a deal by tomorrow on my desk. Double spaced, Arial 9 point.
Oh, and this time, please don't use Wingdings in the footnotes. I can't tell you how disorienting it is to find a jogging man icon be used as a marker in the middle of a rant.
Chicks dig the iPhone.
Who, cmdrtaco?
... right!
Slashdot has sources now?
--- I do not moderate.
Yes, but you can't argue with success ;)
It's nice just to have it on the page to look at. Besides, how many people are going to actually read it anyways?
Don't blame me, I voted for Baltar.
Feels Snappier(TM)
I've been upgraded to "bad"!
WTF? Because PPL don't RTFA.
a phone that I have to hook up to my computer and open a music player so that it doesn't get owned.
Thanks Apple!
One source speculated that Apple wanted to get fixes in users' hands ahead of the Black Hat conference where details of early iPhone vulnerabilities could be revealed.
And this would be surprising why, exactly?
Is this not a good thing?
It's informative because he did it on an iPhone! (Haha, I made a funny! You can't copy/paste on an iPhone!!) :-P
The first step after hitting go involves the iPhone going into a "Software Update" screen, then immediately going to an Apple logo with progress bar. On the computer, while the progress bar is going by, is displayed "Verifying Current iPhone Software"... Does this mean it's checking the existing install to make sure it's not hacked?
Anyone with a hacked iPhone try this yet, and if so, any problems? I expect any hacks will have to be re-applied (or even re-discovered, if the hole that allowed them was patched.)
(I haven't hacked my iPhone yet, but I would like to make sure Apple doesn't lock hacked ones out of updates.)
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Isn't the iPhone a Newton 2.0?
"All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke
Still waiting for copy and paste, custom ringtones, and bluetooth file transfers... :(
Flamebiat? I agree with him this isn't really news worthy material, at least to be on the front page. Put it in back and put the submitter back on the shortbus.
VPN connections work correctly now. Before, it wouldn't save my PPTP password and then when it connected it would bring up a password entry box with only numeric characters allowed. I didn't try VPN with a password not saved, but at least saved password behavior is correct.
The update took around 7-8 minutes altogether. Left a ".ipsw" file in my ~/Library/iTunes/iPhone Software Updates folder which presumably contains the image.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
It's Palm 10.0, if you think about how it really works... fundamentally, a device dervied from a newton would be all about handwriting recognition taken to the next level. the iPhone is about replacing the Grafitti input squares with a virtual keyboard, with some hint of the gesture recognition dispersed throughout the device.
Also, it's what Palm should have developed about two years ago, if they hadn't lost focus on making great small device OSe's
"There is more worth loving than we have strength to love." - Brian Jay Stanley
can I replace the battery now?
put it in the bit bucket
Oooh, I'm taking a hit for that one :P
Don't blame me, I voted for Baltar.
It would be retro-chic if it didn't date back to AT&T 1.0.
Well there is the fact that it doesn't break any of the existing hacks for the iPhone...
It's got nothing to do with Newton, Palm, Pocket PC, Symbian/EPOC devices, or any other smartphone or PDA, because you can't run anything but Apple's software on it.
It's basically a canned email/browser device like WebTV in a pocket form factor, with a handful of common organizer applications baked into the image, like Royal's old line of organizers.
You know how Steve mentioned three things when he introduced the iPhone? Well, two out of three ain't bad--mine wasn't a phone for about 24 hours (and didn't bother to tell me):
Either this update better address phone-freeze or I'm gonna have to reboot every 24 hours (or chuck it)...
Twelve-and-three-quarter inches. Unyielding. This wand belonged to Bellatrix Lestrange.
Is anyone else seeing this? My iPhone will not charge via the wall adapter after applying the update. Charging from the computer works fine, but I get nothing when it's plugged in via the wall adapter.
People like you are the reason we need a "Doesn't get the joke" mod.
If you would have told me 2 years ago that a lousy phone update would make news on Slashdot I would have said "Apple made a phone?"
Yeah and there was a firefox update yesterday, a debian security update the day before for some software, but I can't remember which, I just hit the go button...
I did a fink update for my mini, I think I'll check to see if there is an update for some software that doesn't do auto updates later
Need real news please!
I got laid *without* an iPhone.
Anybody can get laid with an iPhone.
So where's the Defective by Design tag that gets attached to every Microsoft product that has artificial limitations?
For a device as advanced as the iPhone, I'm shocked that this update can't be automatically done via WiFi or EDGE. I mean, it's practically a freaking computer on its own, and doesn't need to be tethered to yet another device.
Dear Apple,
Please stop selling out. You're on a slippery slope, and we won't forgive you another time after you slipped up in the 90s.
Sincerely,
Your customers.
-- If you try to fail and succeed, which have you done? - Uli's moose
This is the first time ever that a vulnerability has been found in a smart phone and it's been patched ahead of the public demo of the exploit.
There is this meme that the iPhone is not ready for the enterprise because it doesn't have MAPI and special I-T management tools. Yet here we have the first vulnerability in the iPhone and it is promptly patched through a system that will distribute the patches very quickly and easily. A stark contrast to other mobiles. There are multiple holes in Symbian and of course Windows Mobile that remain completely unpatched. Nobody knows when that is going to change. For all the enterprise bluster around those systems they are not patching zero-day exploits.
There are many reasons that the Mac is more secure than Windows, but a big reason is that OS X is such a moving target. Every quarter for 5 years there has been a new version which updates itself automatically. Exploits are made less valuable not just because of the smaller user base than Windows, but also because of the short shelf life of each OS version. The vast majority of Mac users are using the very latest OS and have all the patches applied even though the vast majority of Mac users have no I-T staff and no I-T skills.
When the iPhone first shipped and people started hacking it, there was a lot of talk then that every hack may be temporary, a software update could come down through iTunes at any time and reset the game. There is nothing like that protecting any other mobile.
With my Newton Message Pad I could at least change the batteries when they got low. Those I know with iPhones are always paranoid about a place to plug in instead of just having a back-up battery in their bag. The battery issue is a real flaw.
Oh, shut up. It's obvious you didn't like it because it stomped your precious iPhone. It was used correctly, and was as good as ever.
because that song's not whiney a bit.
You could replace it anytime you liked, just like you could with iPods.
I personally don't mind sending it to Apple in three years or so, when it's at 80% capacity... or I may not, as it is the battery is plenty enough for me.
If you enjoy having to replace batteries more often just because you can, and having shorter battery life - more power to you (so to speak).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
It's got nothing to do with Newton, Palm, Pocket PC, Symbian/EPOC devices, or any other smartphone or PDA, because you can't run anything but Apple's software on it.
Yeah, what a bummer it's just UNIX in a small form factor.
Why don't you go rain all over the Zaurus user parade while you're at it?
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Sure it's a random troll, but you have to admit it's impressive that whoever did it managed the coordination between the multiple machines necessary to accomplish that.
Of course, all subsequent trolls of the same type should be modded to -1, obviously.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
When you are at the area you want to save, search for a road name visible on the map. Searches take place primarily in the area you are viewing, so if the road is small enough you'll get a pretty exact location you can bookmark to return to that area.
If you use a major road name, the location chosen might be in the middle of the stretch of roadway, so try to use smaller streets if you can.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If you receive a call in the middle of the update, it will probably crash, forcing a slow restore.
Me? I'm bitter and lonely, I could update the phone on my birthday with no concerns.
But normal people will probably want to do it later at night to prevent a painful experience.
My mom says I'm cool.
... yet another reason not to buy an iPhone. Yes the competition need update software as well. But that is dedicated updated software. The competition won't force me to install an 50MB music player software I don't like to update my phone.
Everytime I stand ion front of an Apple Mac I have great respect for the technology. But those buisiness and marketing descisions make me shake my head.
Martin
Am I the only one who thinks it's really silly that the only channel through which to update your phone (or, put in another way, your slightly-locked-down, general purpose hand-held computer and communications device) is... is... your MUSIC PLAYER!?
(it is called itunes, no?)
It is, if you have a PC or mac??? I found it quick and easy. OTA might be a little nicer, but given that I sync once a day or so for calendar updates and other refreshes, it's easy enough. Moreover, AT&T can't reliably deliver weather updates and barely gets web pages over it's network. A 7+ MB (or more in the case of Windows Mobile phones) is just not a workable method. Never mind the updates which require nuking all of the data on the phone (typical for WM patches). God help you if your battery goes dead in the process. Sure it would be nice, but when you've been eating shit sandwiches all of your life and someone hands you white bread with cheese and mayonnaise you don't hassle them for not grilling it for you. Bullshit. Mac OS X is fundamentally unchanged from when Tiger came out two years ago.
Illusion! All those security updates, with patches to sshd and the like - they were all figments! He does have a point though, Apple patches some things because they must to save face. There are a lot (LOT) of gratuitous reproducible bugs, bad behaviors, and performance issues that have never been fixed. Almost none of which are documented on Apple's site. It is one of the area's Microsoft has really out-shined Apple. You have no idea how patching works in IT. We don't necessarily WANT users to have "all the patches applied", at least not right away. IT needs to control patch delivery to limit compatibility issues. Or do you believe that patches never break anything?
More sand-holing. How sad. Learn to deal, you have seven days before everyone is patched, figure it out if something doesn't work - but then again, since you can't install your own software anyway what exactly would break again?? Since you aren't doing the updates why are you taking support calls for the thing? Point them to Apple. True that. Windows Mobile 6 devices can be patched over the air, and patch delivery can be managed with a variety of third-party tools. Great, so once MS publishes a patch and it works it's way through the OEM's system (if ever it does) and possibly the additional step/question of the carrier deciding they need to distribute it... you can patch over the air. Who cares, insisting on over the air patching implies an urgency that just does not exist. The argument over a cable is tantamount to arguing over which side of the roll should the toilet paper hang. It does not matter. Just go plug the fucker in.
Platform advocacy is like choosing a favorite severely developmentally disabled child.
So wait- if Apple release security updates they're evil?
If they don't patch security holes, what are they then? evil, incompetent, both?
Is Linus evil? Every new kernel he throws out there potentially breaks my custom super secret kernel module!!
Microsoft relased Service Pack 15 for Windows 2000. News at 11.
Seriously, are we going to make a story out of every point release of iPhone's firmware?
I wonder if HTC patented that feature, because they had it first.
the phone works well after the update, and does actually already show signs of improvement in performance. To some extent, I got around the crashing with reboots and recharges, or just used it in different ways. In the time spent this evening, it has not dropped to the main screen once. More remains to be seen, but this is what I was waiting for. The first proof that Apple is going to follow a proper release and update cycle.
It's obvious when you use the iPhone for a while that there are unfinished features or placeholders. Apple as a company has a history of this type of behavior with OSX, as-of-yet unrevealed features will be played out when it suits them to stoke demand and news coverage. Ringtones, anyone?
Does this break the current hacks out in the wild, how will the response from the community go, these types of questions will take time to properly answer. I look forward to it!
Check my Go-related blog for beginners: DGD
I was wondering where all the kids are on slashdot that like to post obscenities on comments/forums.. until I found the Threshold combo box. Nice little feature. Keeps me sane. *click* "1:105 comments" Praise the .. lord?
We get a song troll and they pick "The Piano Man"?
Jesus Effing Christ, they couldn't have picked Search and Destroy or Your Pretty Face Has Gone To Hell?
I'm so ashamed, I'm going to post this AC.
I am constantly amazed at the moderation when it comes to anything about Apple. Parent is most certainly not trolling, and seems to show a lot of understanding about how a corporate environment needs to manage mobile devices.
This is an apples and oranges discussion though, since the iPhone was never *meant* to be used in a corporate environment. Apple wouldn't even sell them to people with AT&T business accounts.
Anyways, parent should have been modded +5 Informative, since the statements were quite accurate, if not what fanbois wanted to hear.
There is this "meme" spreading that the iPhone is a general purpose computer that could be useful to an enterprise.
Did they patch that flaw?
(And please provide links to these ZOMG 0-day SPLOITZ! I have a great need to take over phones and bring down the network. HACK THE PLANET!)
...you aren't half as interesting as you think you are.
I was logging into BBS's during their heyday as a teenager. I used to write scripts to play the chat room games for me—not macros, automated scripts. The fact that you inferred me to be ignorant of the distinction between modems, GSM, and Wi-Fi technologies based on a *joke* just makes you a mirthless wet blanket. Maybe you shouldn't assume the worst in people. (Then again, this is Slashdot.)
NO CARRIER wasn't a perfect fit, but it didn't matter. It's a joke, Mr. Spock.
And by the way, I do own an iPhone, and I actually did post the original message from it.
After updating, my iPhone has a new bookmark for "View your AT&T Wireless Account." I hope those spammers at AT&T burn in hell.
Sent from my iPhone
This is, by far, the most ignorant security comment on Slashdot I have ever read. You are a fool sir, at least when it comes to security.
What I am is a security REALIST. What I realize is that people are "in UR Enterprize iPhoneinating UR Network". So who is more ignorant, the one who thinks about how this device can fit in as-is because it's going to anyway even if you don't want it, or someone who whines about lack of IT controlled updates and pretends like it's not already affecting you.
Welcome to real world security. Here's a Q-tip for that sand in your ears.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Under is like hanging a picture on the wall with the backing facing out. Why would you do this?
Can you really hack the iPhone to add custom ringtones? If so, can you give a URL? I would love to buy an iPhone after trying it out in the Apple Store, but the SMS notification tone is unacceptable. I get automated SMS notifications at night for problems at work, which need to be able to wake me up from a drunken stupor. I had to replace some of the the default "message tones" on my last LG CU500 to make that happen. The iPhone doesn't even let you change the tone at all, and it's a short, quiet beep with about 1/2 second of vibration.
The Msg ID is 10 characters with 2 numbers and 3 non-alphanumeric characters... for a really long one-off string that I do not care to remember.
This is something that I wish AT&T and Apple would get together on!
Yeah, what a bummer it's just UNIX in a small form factor.
If you can't get a command line (legitimately), it's not UNIX in any meaningful sense.
Why don't you go rain all over the Zaurus user parade while you're at it?
Why should I? The iPhone's not a Zaurus either.
And here is another fairly recent article and gives more ammo to my argument: http://consumerist.com/consumer/fraud/att-phone-st olen-youre-still-responsible-for-the-450-in-soft-c ore-porn-downloads-284922.php
Horns are really just a broken halo.
There are multiple stories of people who were halfway through the update getting hosed by an inbound phone call.
:-)
That would be a massive OOPS on Apple's part, and will surely be remedied in a future build. You and every other rational person on Earth would expect it to disable the radio. I'm guessing that they forgot.
My mom says I'm cool.
I bought and used a $10 program called iPhoneRingToneMaker that works without messing with my firmware. It simply copies the ringtone to some kind of folder on my iPhone. When I reboot the iPhone, voila! I installed the update, and no firmware reset was nessecary. :-)
Serial port through the dock.
Please read for content, goofball. You can't legitimately do anything with that command line. I'm better off with Linux on an iPaq plus a separate cellphone than you are with the bootleg debug console or ssh server that you voided your warranty and put your cellphone contract in jeopardy over.
But the Zaurus is also UNIX.
The Zaurus is *supported* UNIX.
The iPhone is *unsupported* UNIX, and that's nothing new... I've had unsupported UNIX on a handheld for years.
The serial console on the iPhone does not get you a shell, it gets you something akin to Open Firmware... something Apple has had since long before they were running UNIX. You also get the same interface from most routers and other network equipment, most minicomputers, many microcomputers other than Powermacs, gas pumps, automobile engine computers, and coffee machines. In fact, the kind of "serial based terminal interface" you' get from the iPhone is about as "not UNIX" as you can get over a serial port. To get a shell you have to install additional software on the iPhone to make the shell available. Apple goes to great lengths to make this impossible, and doing it violates your contract with AT&T and voids your warranty.
If you are willing to give up cellphone service (and even if you can manage to do this without being detected for the moment, don't bet on keeping that capability) then you can turn your iPhone into a UNIX handheld. You can also turn your iPaq and half a dozen other handhelds into UNIX handhelds by installing NetBSD or Linux on them, and you've been able to do this for years.
The fact that the iPhone has UNIX under the hood is irrelevant because you can not get to it without making your iPhone not an iPhone. To the typical user it's no more relevant that the fact that they can install Linux on their iPaq. They're not going to do it, and anyone who *is* going to do it doesn't need an iPhone to get to the same place. An old iPaq or a Zaurus is cheaper and you can actually get software for them. Hacking your iPhone is a party trick, not a useful tool.
Well - Does the Update Enable Video Out to the TV,
iChat VoIP Skype-like integration, voice dialing, and full Quicktime support,
or is the iPhone still a $600 paperweight?