July 3rd, 2008
Apple caught neglecting iPhone security
If you’re waiting on iPhone 2 to standardize your business on the awesome new device (yeah, I’ll be on line to buy one), you might want to pay attention to the conspicuous absence of iPhone security patches over the last four months.
As WaPo’s Brian Krebs reports, the iPhone runs a stripped down version of Mac OS X but, even though OS X security updates are coming fast and furious, the iPhone has been neglected.
This means that there are multiple serious iPhone code execution flaws — including the CanSecWest Safari contest bug — that remains unpatched.
Krebs writes:
In seeking confirmation of this, I spoke recently with Charlie Miller, one of the foremost OS X and iPhone security researchers. Miller confirmed that the iPhone updater tells users that if they have version 1.1.4 installed then they are running the most current version. The problem is that this update does not include fixes for a slew of security holes in the Safari Web browser and other OS X components upon which the iPhone relies heavily.
“Apple should either update their software like they do with the core operating system, or otherwise don’t advertise the fact that the iPhone checks for updates every week,” Miller said. “Right now, an iPhone user is going to think they’re up-to-date because there’s no patch available, but the reality is that users are only as secure as they were back in February.”
Even more worrisome, Miller has created a tool to exploit the Safari vulnerability on an iPhone.
Using the exploit, an attacker who convinces an iPhone user to click on a malicious link could steal the victim’s call records or contacts, send text messages or read the user’s sent and received messages, and make outgoing calls, among other things.
There’s also an iPhone zero-day floating around out there.
So, if you love your iPhone like I do, consider sending Apple a note (<product-security@apple.com>) and let them know that this neglect is unacceptable.
* Image source: oskay’s Flickr photostream (Creative Commons 2.0).
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
