14 DAY TRIAL // Besides adding new features, tweaks and fixes in the latest software update to the iPhone OS, Apple has included a number of security patches as well, resolving recently discovered vulnerabilities in the software on both the iPhone side of the OS, and for iPod touch.
According to an Apple Support piece detailing “the security content of iPhone OS 3.1 and iPhone OS 3.1.1 for iPod touch,” almost a dozen bugs have been patched in OS 3.1 for iPhone and OS 3.1.1 for iPod touch, spanning areas like CoreAudio, Exchange Support and MobileMail. Even a “Recovery Mode” issue has been found in previous versions of the iPhone OS.
Apple reveals that, “A heap buffer overflow exists in Recovery Mode command parsing,” an issue that “may allow another person with physical access to the device to bypass the passcode, and access the user's data. This update addresses the issue through improved bounds checking.”
Another issue, affecting only iPhone owners running iPhone OS 1.0 through 3.0.1, is related to a null pointer dereference problem that exists in the software’s handling of SMS arrival notifications. Therefore, Apple says, “Receiving a maliciously crafted SMS message may lead to an unexpected service interruption.” To fix the issue, Apple has improved the handling of incoming SMS messages, crediting Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Technical University Berlin for discovering and reporting the bug.
Even deleted email messages have been penned in as an issue in iPhone OS earlier than 3.1. According to Clickwise Software and Tony Kavadias, these may still be visible through a Spotlight search, as Spotlight finds and allows access to deleted messages in Mail folders on the device. According to Apple’s description of the vulnerability, “This would allow a person with access to the device to view the deleted messages.” As simple as it sounds, the issue has been addressed by not including deleted emails in the Spotlight search results anymore. Apple also notes that only iPhone OS 3.0 and iPhone OS 3.0.1 users are affected, along with iPod touch 3.0 users.
Visit Apple’s Support section here to see all the security issues addressed in iPhone OS 3.1 and iPhone OS 3.1.1 for iPod touch.