September 27th, 2007
Apple patches 10 iPhone security holes
Apple has shipped an iPhone software update to patch 10 different vulnerabilities that could allow malicious hackers to launch executable code, steal e-mail credentials or take control of the device’s phone-dialing capabilities.
The mega-patch, which shipped today as iPhone v1.1.1, patches seven holes in Safari, a code execution and denial-of-service bug in Bluetooth, and two flaws affecting the built-in Mail service.
The skinny, via Apple’s advisory:
Bluetooth (CVE-2007-3753) — An input validation issue in the iPhone’s Bluetooth server could allow the use of maliciously-crafted Service Discovery Protocol (SDP) packets to trigger an unexpected application termination or arbitrary code execution.
Mail (CVE-2007-3754 and CVE-2007-3755) — When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. An attacker capable of intercepting the connection may be able to impersonate the user’s mail server and obtain the user’s email credentials or other sensitive information. Separately, following a telephone (”tel:”) link in Mail will dial a phone number without confirmation.
The seven Mobile Safari vulnerabilities — which likely affect the desktop (Windows and Mac) versions of the browser — range from disclosure of URL contents, dialing phone numbers with a confirmation dialog, cross-site scripting and the manipulation of the contents of documents served over HTTPS.
Michal Zalewski, the browser hacking guru recently hired by Google, is credited with reporting three of the Safari vulnerabilities.
In addition to the iPhone patches, Apple is expected to ship a monster Mac OS X update later today. This will include fixes for the year-old QuickTime code execution issue that made headlines recently.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
