Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple iPhone v1.0.1 Update Now Available

Posted by kdawson on from the more-better-security dept.

The Webguy writes "Apple has released the first update for the iPhone. Updated components in the v1.0.1 update include Safari, the WebCore, and the WebKit. Quoting from the Apple Knowledge Base, the 'update is only available through iTunes, and will not appear in your computer's Software Update application, or on the Apple Support Downloads site.'" One source speculated that Apple wanted to get fixes in users' hands ahead of the Black Hat conference where details of early iPhone vulnerabilities could be revealed.

17 of 279 comments (clear)

  1. Sure wish... by Man+On+Pink+Corner · · Score: 4, Funny

    it would let me bookmark a Google Maps location.

  2. A Description of the Patches from Apple: by iluvcapra · · Score: 5, Informative



    iPhone v1.0.1 Update

    Safari

    CVE-ID: CVE-2007-2400

    Available for: iPhone v1.0

    Impact: Visiting a malicious website may allow cross-site scripting

    Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.

    Safari

    CVE-ID: CVE-2007-3944

    Available for: iPhone v1.0

    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

    Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.

    WebCore

    CVE-ID: CVE-2007-2401

    Available for: iPhone v1.0

    Impact: Visiting a malicious website may allow cross-site requests

    Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.

    WebKit

    CVE-ID: CVE-2007-3742

    Available for: iPhone v1.0

    Impact: Look-alike characters in a URL could be used to masquerade a website

    Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.

    WebKit

    CVE-ID: CVE-2007-2399

    Available for: iPhone v1.0

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.

    --
    Don't blame me, I voted for Baltar.
    1. Re:A Description of the Patches from Apple: by chefmonkey · · Score: 5, Funny

      Viewing a maliciously crafted web page may lead to arbitrary code execution

      Arbitrary code execution? But isn't that what every iPhone user has been clamoring for?
  3. Re:hmmm or not by Necroman · · Score: 4, Informative

    You have to press the "Check for Updates" button in iTunes to get it. iTunes only auto-checks for updates every 7 days or so.

    --
    Its not what it is, its something else.
  4. My iPhone seems fine... by qualidafial · · Score: 5, Funny

    I'm writing this message from my iPhone and haven't noticed any problems at ~£]+~}2(&"@NO CARRIER

  5. updated by Fluk3 · · Score: 4, Funny

    Feels Snappier(TM)

    --
    I've been upgraded to "bad"!
  6. Copy/paste by Anonymous Coward · · Score: 5, Funny

    It's informative because he did it on an iPhone! (Haha, I made a funny! You can't copy/paste on an iPhone!!) :-P

  7. Interesting... by Anonymous+Freak · · Score: 4, Interesting

    The first step after hitting go involves the iPhone going into a "Software Update" screen, then immediately going to an Apple logo with progress bar. On the computer, while the progress bar is going by, is displayed "Verifying Current iPhone Software"... Does this mean it's checking the existing install to make sure it's not hacked?

    Anyone with a hacked iPhone try this yet, and if so, any problems? I expect any hacks will have to be re-applied (or even re-discovered, if the hole that allowed them was patched.)

    (I haven't hacked my iPhone yet, but I would like to make sure Apple doesn't lock hacked ones out of updates.)

    --
    Another non-functioning site was "uncertainty.microsoft.com."
    The purpose of that site was not known.
    1. Re:Interesting... by wannasleep · · Score: 4, Informative

      Yes it is checking the install for integrity... and it looks like it wipes out phones with some mods. It is not clear yet what mods trigger a complete wipe. It looks like ringtones and minor mods will survive the update. People are still testing.

    2. Re:Interesting... by voisine · · Score: 4, Funny

      I just had some ringtones on there and the software verification failed. Had to do a full restore. It took longer and I have to re-hack it to get my cat-screech custom ringtone for the wife back, but otherwise painless.

  8. Sooooo.... by kollywabbles · · Score: 5, Funny

    can I replace the battery now?

    --
    put it in the bit bucket
  9. Re:My iPhone got me laid by AmberBlackCat · · Score: 4, Funny

    An iPhone will work, but really it could be any item that indicates to the woman that you're willing to spend hundreds of dollars on something pretty.

  10. Re:oops by stonedcat · · Score: 5, Funny

    Your struggle had me gripping the edge of my seat.

    --
    You can't take the sky from me.
  11. In Your Face "Enterprise" iPhone Bashers by gig · · Score: 5, Interesting

    This is the first time ever that a vulnerability has been found in a smart phone and it's been patched ahead of the public demo of the exploit.

    There is this meme that the iPhone is not ready for the enterprise because it doesn't have MAPI and special I-T management tools. Yet here we have the first vulnerability in the iPhone and it is promptly patched through a system that will distribute the patches very quickly and easily. A stark contrast to other mobiles. There are multiple holes in Symbian and of course Windows Mobile that remain completely unpatched. Nobody knows when that is going to change. For all the enterprise bluster around those systems they are not patching zero-day exploits.

    There are many reasons that the Mac is more secure than Windows, but a big reason is that OS X is such a moving target. Every quarter for 5 years there has been a new version which updates itself automatically. Exploits are made less valuable not just because of the smaller user base than Windows, but also because of the short shelf life of each OS version. The vast majority of Mac users are using the very latest OS and have all the patches applied even though the vast majority of Mac users have no I-T staff and no I-T skills.

    When the iPhone first shipped and people started hacking it, there was a lot of talk then that every hack may be temporary, a software update could come down through iTunes at any time and reset the game. There is nothing like that protecting any other mobile.

    1. Re:In Your Face "Enterprise" iPhone Bashers by SuperKendall · · Score: 4, Insightful

      Quickly and easily? That's crap, and you know it. Quickly and easily would be for the iPhone to update over the air, like the T-Mobile Sidekick does. Having to connect the device to a PC running iTunes isn't "quick" or "easy".

      It is, if you have a PC or mac??? I found it quick and easy. OTA might be a little nicer, but given that I sync once a day or so for calendar updates and other refreshes, it's easy enough.

      Tell me, how is IT is going to push patches to the device?

      The whole point was they don't need to, because it's easily handled by the user. Less IT work is a good thing, if you can just release your claws a little from grasping everything that comes within reach.

      How are users going to know to apply the patch?

      Software automatically prompts them to do so within seven days of the last check, so worst case in six days or so the last people should be updating the phones (unless they sync less frequently). Just like OS X updates, with 99% of the user population apply just fine with no IT involvement. I know the concept is just blowing your mind, but updates don't have to involve "support staff".

      What if they have disabled patching?

      You can't, though you could decline the update. But why would you? Remember, most users just hit "yes".

      How do we ensure compliance? What's to stop iPhone 1.0 users/devices from connecting and downloading sensitive data?

      Within a week there will be no iPhone 1.0 devices. You aren't getting the Big Picture here.

      Here's a pop quiz - the CFO's iPhone is lost/stolen. What do you do?

      What you can. Here's the kicker - this is true of your CFO right now, regardless of your feelings! So what are YOU doing other than putting your head in the sand? When have CFO's ever really been "managed" anyway?

      Bullshit. Mac OS X is fundamentally unchanged from when Tiger came out two years ago.

      Illusion! All those security updates, with patches to sshd and the like - they were all figments!

      You have no idea how patching works in IT. We don't necessarily WANT users to have "all the patches applied", at least not right away. IT needs to control patch delivery to limit compatibility issues. Or do you believe that patches never break anything?

      More sand-holing. How sad. Learn to deal, you have seven days before everyone is patched, figure it out if something doesn't work - but then again, since you can't install your own software anyway what exactly would break again?? Since you aren't doing the updates why are you taking support calls for the thing? Point them to Apple.

      Presumably when third party software arrives, it will keep in step with iPhone updates just as software does with OS X updates.

      Windows Mobile 6 devices can be patched over the air, and patch delivery can be managed with a variety of third-party tools.

      Oh, you're one of THOSE people. No wonder the big picture is so elusive to you. You've forgotten who you serve.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    2. Re:In Your Face "Enterprise" iPhone Bashers by goodmanj · · Score: 4, Interesting

      The whole point was they don't need to, because it's easily handled by the user. Less IT work is a good thing, if you can just release your claws a little from grasping everything that comes within reach. If I can jump on the bandwagon again here, let me tell you a story.

      Once upon a time, in the distant '80s, there was a large research lab. This lab did a lot of work with computers. The computers of the day were giant VAXen which filled a basement room, with tentacles reaching out to terminals in users' offices throughout the building. The computers was complicated and confusing, and an army of highly trained, very smart support people worked on them. These high priests and acolytes lurked in the basement, worshipping the VAX god and interpreting its prophecies to the users. They did this job well.

      But the users looked at the sacrifices they were making to the VAX god and its acolytes, and realized, "I can get much more done with far less money if I buy a small workstation for my office." The priests in the basement said, "but we won't be able to control and service the machine. What will you do when it breaks?" The users replied, "I'll buy a new one. They cost as much as two days of your salary." Lo, the priests in their basement temple feared for their jobs, feared that their great god, the source of their power, would be lost forever.

      The priests were right, up to a point. The workstation users discovered viruses, and hackers, and spam, and the rest of the ten plagues of the Internet. They learned to do some of the work the priests once did on the VAX. But the new workstations were so much cheaper, and so much easier to use and maintain, that they found it a fair trade. The great VAX was cast out of the basement, and died the sad death of all forgotten gods, but the priests met a happier ending. The eldest took a generous early retirement; the neophytes re-trained, and learned to serve the new pantheon of desktop workstations. By letting go, by giving up their ability to control and manage and dominate, the priests made their users happier and more productive, and saved the lab a hell of a lot of money. ...

      Then, one day, in the empty, dusty temple where the VAX god was once worshipped, the first Beowulf clusters sprouted. And as they grew and spread their tentacles, a new breed of priests arose to serve them...
  12. Re:hmmm or not by node+3 · · Score: 4, Informative

    Are you sure that it will ask you about a patch that is critical for Apple's revenue stream? Absolutely. Apple *always* asks.