Slashdot Mirror
Apple iPhone v1.0.1 Update Now Available
The Webguy writes "Apple has released the first update for the iPhone. Updated components in the v1.0.1 update include Safari, the WebCore, and the WebKit. Quoting from the Apple Knowledge Base, the 'update is only available through iTunes, and will not appear in your computer's Software Update application, or on the Apple Support Downloads site.'" One source speculated that Apple wanted to get fixes in users' hands ahead of the Black Hat conference where details of early iPhone vulnerabilities could be revealed.
it would let me bookmark a Google Maps location.
iPhone v1.0.1 Update
Safari
CVE-ID: CVE-2007-2400
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site scripting
Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
Safari
CVE-ID: CVE-2007-3944
Available for: iPhone v1.0
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
WebCore
CVE-ID: CVE-2007-2401
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
WebKit
CVE-ID: CVE-2007-3742
Available for: iPhone v1.0
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
WebKit
CVE-ID: CVE-2007-2399
Available for: iPhone v1.0
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
Don't blame me, I voted for Baltar.
You have to press the "Check for Updates" button in iTunes to get it. iTunes only auto-checks for updates every 7 days or so.
Its not what it is, its something else.
Ok I have it now, but rather worryingly, half way through installation the process has stalled and my phone is currently ibricked :(
I'm writing this message from my iPhone and haven't noticed any problems at ~£]+~}2(&"@NO CARRIER
Who, cmdrtaco?
... right!
Slashdot has sources now?
--- I do not moderate.
Feels Snappier(TM)
I've been upgraded to "bad"!
So you held the iPhone in the other hand?
Remind me not to borrow your iPhone.
It's informative because he did it on an iPhone! (Haha, I made a funny! You can't copy/paste on an iPhone!!) :-P
Makin love to his tonic and gin
The first step after hitting go involves the iPhone going into a "Software Update" screen, then immediately going to an Apple logo with progress bar. On the computer, while the progress bar is going by, is displayed "Verifying Current iPhone Software"... Does this mean it's checking the existing install to make sure it's not hacked?
Anyone with a hacked iPhone try this yet, and if so, any problems? I expect any hacks will have to be re-applied (or even re-discovered, if the hole that allowed them was patched.)
(I haven't hacked my iPhone yet, but I would like to make sure Apple doesn't lock hacked ones out of updates.)
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
Isn't the iPhone a Newton 2.0?
"All you have to do is be fragile and grateful. So stay the underdog." Chuck Palahniuk, Choke
Informative? Informative!?
Yes, waiter, another glass of kool-aid please.
(captcha: ravening)
If you build it, nerds will come. Soylentnews.org
Where did the author say it was surprising(, exactly)?
Of what use is your comment, exactly?
VPN connections work correctly now. Before, it wouldn't save my PPTP password and then when it connected it would bring up a password entry box with only numeric characters allowed. I didn't try VPN with a password not saved, but at least saved password behavior is correct.
The update took around 7-8 minutes altogether. Left a ".ipsw" file in my ~/Library/iTunes/iPhone Software Updates folder which presumably contains the image.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
can I replace the battery now?
put it in the bit bucket
An iPhone will work, but really it could be any item that indicates to the woman that you're willing to spend hundreds of dollars on something pretty.
Well there is the fact that it doesn't break any of the existing hacks for the iPhone...
Is anyone else seeing this? My iPhone will not charge via the wall adapter after applying the update. Charging from the computer works fine, but I get nothing when it's plugged in via the wall adapter.
I got laid *without* an iPhone.
Anybody can get laid with an iPhone.
This is the first time ever that a vulnerability has been found in a smart phone and it's been patched ahead of the public demo of the exploit.
There is this meme that the iPhone is not ready for the enterprise because it doesn't have MAPI and special I-T management tools. Yet here we have the first vulnerability in the iPhone and it is promptly patched through a system that will distribute the patches very quickly and easily. A stark contrast to other mobiles. There are multiple holes in Symbian and of course Windows Mobile that remain completely unpatched. Nobody knows when that is going to change. For all the enterprise bluster around those systems they are not patching zero-day exploits.
There are many reasons that the Mac is more secure than Windows, but a big reason is that OS X is such a moving target. Every quarter for 5 years there has been a new version which updates itself automatically. Exploits are made less valuable not just because of the smaller user base than Windows, but also because of the short shelf life of each OS version. The vast majority of Mac users are using the very latest OS and have all the patches applied even though the vast majority of Mac users have no I-T staff and no I-T skills.
When the iPhone first shipped and people started hacking it, there was a lot of talk then that every hack may be temporary, a software update could come down through iTunes at any time and reset the game. There is nothing like that protecting any other mobile.
The funny thing is, if there's enough of Mac OS X in there, it should be theoretically possible to port Inkwell to the iPhone. I'm sure Apple is thinking about this.
I don't think they are, because the finger is a terrible writing implement - that would be far more suited to a stylus I think.
And Palm? It seems to me that about the only chance Palm has for continued existence is to go back to their roots and release Graffiti (v1, not v2, now that the lawsuit is settled) for the iPhone. You *do* know that Palm's original product was Graffiti, right? And that one of the platforms it ran on was the Newton MessagePad?
Yes, but the Newton was always more about pure text entry with the stylus, the Palm stuff really wasn't as useful on the Newton. Palm/Grafitti really came into its own with a dedicated OS, I had a few Palm Pilots and I loved them. They went to a place with the Treo I could not follow.
Honestly, I hope Palm does well with the Foleo, because it embodies in many ways ideas that I've had about the future of mobile computing for a long time. It's just that given Palm's recent history, I doubt that it's going to thrive.
The problem with the folio is that it's plainly positioned as an adjunct device to other smartphones, and unless Apple opens up the iPhone enough it can interoperate well... I'm not sure how well they will fare. I also do not wish Palm ill, but I'm not sure they have made good choices in the last few years.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
When you are at the area you want to save, search for a road name visible on the map. Searches take place primarily in the area you are viewing, so if the road is small enough you'll get a pretty exact location you can bookmark to return to that area.
If you use a major road name, the location chosen might be in the middle of the stretch of roadway, so try to use smaller streets if you can.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yeah, because what everyone needs is a download or patching failure to brick their phone while they're traveling. Needing a computer allows you to backup/sync data beforehand and gives you the tools to do a restore if need be (for example, if a wonky hack bricks the update).
Just because data and an installer can be delivered doesn't mean it's a brilliant plan.
But I just have to ask: to whom has Apple sold out by requiring you to sit down at your computer to update a mobile device?
Microsoft relased Service Pack 15 for Windows 2000. News at 11.
Seriously, are we going to make a story out of every point release of iPhone's firmware?
(it is called itunes, no?) Am I the only one who finds it amusing that people are so desperate to find something, anything, negative to say about the iPhone that they pick something like this to complain about? That, and if you're on a PC and going to sync an iPhone, which includes an iPod (needs iTunes), why would you want _another_ app to do the syncing of the stuff on the iPhone that isn't music? It's the most logical place for that functionality.
when's the last time you saw a story of a non-Mac-fanboi ditching their Blackberry for an iPhone
I assume "never", since according to you anyone who did ditch their Blackberry for an iPhone would, by definition, be a "Mac-fanboi".
No true Scotsman puts sugar on his porridge.
Quidquid latine dictum sit, altum sonatur.
This is, by far, the most ignorant security comment on Slashdot I have ever read. You are a fool sir, at least when it comes to security.
What I am is a security REALIST. What I realize is that people are "in UR Enterprize iPhoneinating UR Network". So who is more ignorant, the one who thinks about how this device can fit in as-is because it's going to anyway even if you don't want it, or someone who whines about lack of IT controlled updates and pretends like it's not already affecting you.
Welcome to real world security. Here's a Q-tip for that sand in your ears.
"There is more worth loving than we have strength to love." - Brian Jay Stanley