Security fixes detailed

Nov 21, 2008 14:14 GMT  ·  By

As usual, Apple has released two separate versions of its iPhone OS – one for users of  an iPhone, and one for owners of an iPod touch. Since the two devices mostly share common features, the two versions of the update are pretty much identical. However, we haven't got a chance to look at the security side of the new release, so we propose to do so now.

As you may have already heard, the iPhone 2.2 update contains enhancements to Mail, fixes connection issues with WPA-secured wireless networks, improves Safari behavior, and more. On the touch side, Apple reveals that OS 2.2 includes a new preference to turn off auto-correction for typing. Whether or not this is a feature only typical of the portable player remains to be seen, nonetheless it's a nice “touch.”

2.2 for the iPod touch is believed to bring everything but the Google Maps upgrade. iPod touch owners updating to the latest version of the software also benefit from podcast downloads, as well as the feature that enables one to hit the Home button from any home screen, and go to the first home screen.

As for the security tweaks, Apple has updated CoreGraphics, ImageIO, networking, Office Viewer, Passcode Lock, Safari and Webkit. The latter has received extra attention, as “sensitive information may be disclosed to a person with physical access to an unlocked device,” Apple reveals. Apparently, disabling autocomplete on a form field may not prevent the data in that field from being stored in the browser page cache.

Regarding the Safari bug, it seems it was possible for a user to visit a maliciously-crafted website, which would initiate calls for them, without their consent (“without user interaction”).

Apple's detailed description of the bug says that “if an application is launched via Safari while a call approval dialog is shown, the call will be placed. This may allow a maliciously crafted website to initiate a phone call without user interaction. Additionally, under certain circumstances it may be possible for a maliciously crafted website to block the user's ability to cancel dialing for a short period of time,” Collin Mulliner of Fraunhofer SIT discovered. Apple managed to fix this with a patch that properly dismissed Safari's call approval dialog, when an application was being launched via Safari. The rest of the security enhancements included in iPhone OS 2.2 can be found over at Apple's Support section.

To update your iPod touch firmware, connect your device to a computer running iTunes 8, and click "Check for Update" in the Devices area of the sidebar in iTunes. It’s free if you have version 2.0 or later. Be sure to drop us a line if you find any undisclosed features in the new OS.