July 31st, 2007
Apple monster update fixes iPhone, Safari, Mac OS X flaws
LAS VEGAS — Apple has issued a monster update with patches for about 50 security vulnerabilities affecting iPhone, Safari and Mac OS X users.
In a race against the clock, the company rushed out iPhone v1.0 with fixes for four different vulnerabilities that could allow hackers to take full control of the device. The fix comes 24 hours ahead of the expected full disclosure of one of the iPhone vulnerabilities at the Black Hat security conference here.
Security researcher Charlie Miller, who found what is believed to be the first remotely exploitable iPhone bug, told me by e-mail earlier that he was giving his iPhone takeover demo whether or not Apple released a patch.
Apple’s advisory, Miller is credited with finding and reporting one of the issues — heap buffer overflows in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. The iPhone update, which is only available via iTunes, also fixes three other flaws in Safari, WebCore and WebKit.
Apple also released a separate advisory to highlight the browser fixes available for Safari. The bugs could cause code execution attacks on Mac OS X, Windows XP and Windows Vista systems.
A third advisory from Cupertino (Security Update 2007-007) patches a total of 45 vulnerabilities in a wide range of Mac OS X components.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
