14 DAY TRIAL // The iPhone updates has been a hot topic ever since the device was released and for good reason, because they guarantee Apple the ability to constantly improve the device. These updates could add a lot of value to the device and could change the public's perception of what a cell phone should be and how it should evolve over time. There has been much speculation over what the first such update would bring, but now we know for sure.
The first iPhone update might look disappointing considering what some were expecting, but it is nevertheless quite important. While it contains nothing more than security improvements, this update is proof that Apple is staying on top of any issues that might occur and is fixing potential problems as fast as possible. The security flaws that were discovered so far have been plugged by this update that can be downloaded in a matter of weeks since they were first discovered. Apple has been receiving a lot of bad comments from various security researchers who claim that the company is not taking security seriously and that it does not know how to properly cooperate with them. The reality of this update is that Apple took all these vulnerabilities very seriously, eliminated the bugs and seems to have worked just fine with the independent researchers who first found the problems.
Apple today released iPhone 1.0.1 firmware which includes bug fixes and supersedes all previous versions. iPhone Software Update 1.0.1 is available via iTunes: Select iPhone in the Source pane and click the Summary tab. Click "Check for Update. iPhone v1.0.1 Update security content:
■ Safari CVE-ID: CVE-2007-2400 Available for: iPhone v1.0 Impact: Visiting a malicious website may allow cross-site scripting Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
■ Safari CVE-ID: CVE-2007-3944 Available for: iPhone v1.0 Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
■ WebCore CVE-ID: CVE-2007-2401 Available for: iPhone v1.0 Impact: Visiting a malicious website may allow cross-site requests Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
■ WebKit CVE-ID: CVE-2007-3742 Available for: iPhone v1.0 Impact: Look-alike characters in a URL could be used to masquerade a website Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
■ WebKit CVE-ID: CVE-2007-2399 Available for: iPhone v1.0 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
Despite the very fast deployment of this update, there seem to be some issues with it as some users are reporting that their iPhone doesn't like their Apple Bluetooth headset after updating. Apparently, "This accessory is not made to work with the iPhone" and the iPhone asks "Would you like to turn on Airplane mode to reduce audio interference (you will not be able to make or receive calls)?" It is still too early to tell whether this is a widespread problem, but if it is, the next iPhone update won't be far behind.