• On GameSpot: Wii Fit tells 10-year-old she's fat
advertisementUnlimited long distance $24.99/mo
September 27, 2007 12:19 PM PDT

Apple patches 10 iPhone flaws

Posted by Robert Vamosi
  • Print

Apple today released 10 iPhone security updates, including 7 within the MobileSafari browser. The update is available only through iTunes and is not available from the Apple Downloads page. The version users should see within their iPhone after applying this update should be 1.1.1 (3A109a). Further, Apple refuses to discuss pending security vulnerabilities not patched here, stating "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

Bluetooth
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3753. By sending maliciously crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker within range may be able to trigger the issue, which may in turn lead to unexpected application termination or arbitrary code execution. Apple credits Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this vulnerabliity.

Mail man-in-the-middle attack
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3754. When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted and could lead to a man-in-the-middle attack.

Mail telephone link
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3755. "By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation." Apple credits Andi Baritchi of McAfee for reporting this vulnerability.

Safari 1
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3756. "A design issue in Safari allows a Web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted Web page, an attacker may be able to obtain the URL of an unrelated page." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.

Safari 2
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3757. "Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation." Apple credits Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.

Safari 3
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3758. "A cross-site scripting vulnerability exists in Safari that allows malicious Web sites to set JavaScript window properties of Web sites served from a different domain. By enticing a user to visit a maliciously crafted Web site, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other Web sites." Apple credits Michal Zalewski of Google for reporting this issue.

Safari 4
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3759. "Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not."

Safari 5
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3760. "A cross-site scripting issue in Safari allows a maliciously crafted Web site to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.

Safari 6
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3761. "A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of another site."

Safari 7
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-4671. "An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of HTTPS Web pages in that domain." Apple credits Keigo Yamazaki of Little Earth Corporation for reporting this issue.

Topics:

Security,

Apple

Tags:

security,

Apple,

iPhone,

Safari

Bookmark:
Digg
Del.icio.us
Reddit
Recent posts from News Blog
NASA, Google Maps track Southern California wildfires
Sprint first to offer HTC Touch Pro
Flipping out: RIM BlackBerry Pearl Flip 8220 debuts
Sprint HTC Touch Diamond outed early
Woman to virtual ex: 'I won't be ignored!'
Add a Comment (Log in or register) 18 comments
Apple's habit...
by SecurityExpertMan September 27, 2007 1:40 PM PDT
...of just throwing a product out there without adequately pre-
testing for security issues is intolerable. For all these security
issues found by the good guys, there are 10 more found by the
bad guys that we hear nothing about and gets sold to the highest
bidder.

Apple's software products used to be the best in security and
privacy, but not anymore. Take EFI for instance.
Reply to this comment
Apple's habit of just throwing a product out there
by rcrusoe September 27, 2007 2:12 PM PDT
I agree, it is totally unacceptable.

They should wait until the product is 100% ready for the marketplace with all possible security flaws fully closed - like Microsoft Vista.
View all 3 replies
Is there evidence it wasn't pre-tested?
by dotmike September 27, 2007 2:34 PM PDT
Hacks are possible into anything. Even the best lock in the world
can be drilled.

I'm sure Apple did test, but the mathematics of security
vulnerabilities suggests the odds of finding every possible
combination within a given period of time are against it.

It's important that issues are patched as they are discovered and
before they are widely exploited, and Apple appears to be doing
that.

Besides, most of the exploits seem to rely on "enticing a user to
visit a maliciously crafted Web page."

As the doctor with the "it hurts when I do this" patient said,
"don't do that."
View reply
Ditto here RCrusoe
by Rick Cavaretti September 28, 2007 7:26 AM PDT
Great 'thinly veiled' post with a great punch line at the end. I too
almost lost my coffee across my keyboard.
Reply to this comment
Woops. One more thing
by Rick Cavaretti September 28, 2007 7:30 AM PDT
Hit the button too soon. Other sites are reporting this story in a
different slant. Apparently, this update shuts down all of the
hacked iPhones and limits them to the ATT network. Almost no
mention of the other issues.
Reply to this comment
What Apple is not open source?
by ferretboy88 September 28, 2007 4:34 PM PDT
Apple only wants you to use the lame AT and T crap network. People talk about mircosoft and how greedy they are but Steve Jobs has 6 Billion and he sure is a real greedy pig also.
the bigger issue (to me)...
by mastercko September 28, 2007 11:09 AM PDT
...isn't the fact that they're releasing a patch (that's normal, whatever).

It's this:

Further, Apple refuses to discuss pending security vulnerabilities not patched here, stating "For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available."

guh? "We won't talk about it till we fix it?" Security through obfuscation? Isn't that attitude like the exact OPPOSITE of the computer security community at large? Gotta love the walled garden.
Reply to this comment
Sure
by Lee in San Diego September 29, 2007 9:46 AM PDT
They should publish details about vulnerabilities. /snark
horizontal keyboard for texting?
by sirjigster September 28, 2007 6:11 PM PDT
where is the horizontal keyboard for texting? why not try to add a
copy and paste feature? where is the MMS texting? like other
people have said they are just trying to relock the phones for the
users who have t-mobile.
Reply to this comment

In the news now

Photos: Gadgets we're thankful for

Some of your favorite Crave contributors reveal which gadget or aspect of technology they're feeling most grateful for these days.



BlackBerry Storm packs more of a drizzle

review Phone has an innovative touch screen that provides tactile feedback, but the onscreen keyboard is a bit cramped, and the smartphone can be sluggish, and speakerphone quality is choppy.



About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

News Blog topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET