iPhone 3.0 update fixes 46 security flaws

In its security advisory about the iPhone 3.0 software update Apple describes a number of security flaws that have now been fixed.

Share

Apple has admitted that the iPhone 3.0 software download patches 46 security holes. While this update is free to iPhone users, iPod touch owners will have to pay for this essential security update.

IT security firm Sophos is urging iPhone and iPod Touch users to upgrade their device. Sophos notes that Apple has also included a number of security patches inside the update, making it crucial for both iPhone and iPod touch users to patch as quickly as possible.

Sophos warns: "iPod Touch customers are required to pay $9.95 for the privilege".

Describing how leaving an iPod touch or iPhone unpatched could leave your iPhone open to attack"If left unpatched, hackers could run malware on your iPhone just by you visiting a website or viewing a maliciously-crafted image," explained Graham Cluley, senior technology consultant at Sophos. "Although we haven't come across any examples of hackers creating malware to exploit these vulnerabilities as yet, it is vital that iPhone and iPod Touch users understand the importance of this latest update. Without it, they are leaving themselves potentially wide open to attack - it pays to remember that no operating system is invincible."

"There's no doubt that some iPod Touch users will be unhappy that they have to pay for their devices to be fixed, and it's certainly unusual for a company to charge for important security patches like this," continued Cluley on his blog. "In an ideal world Apple would make free fixes available for iPod Touch users who don't feel they need cut-and-paste and other new features, but do want to be able to use the internet securely."

In its iPhone 3.0 update security advisory Apple describes six flaws in CoreGraphics which have now been fixed. One CoreGraphics flaw meant that viewing a maliciously crafted image could lead to an unexpected application termination or arbitrary code execution. Apple describes another flaw in which “opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution”.

The impact of a flaw in Mail is described thus: “Users do not have control over the loading of remote images in HTML messages”. This security hole was present because Mail did not provide a preference to turn off the automatic loading of remote images. “Opening an HTML email containing a remote image will automatically request it,” explains Apple.

A Safari bug meant that clearing Safari's history via the Settings application did not prevent disclosure of the search history to a person with physical access to the device. The iPhone 3.0 update addresses the issue by removing the search history when Safari's history is cleared via the Settings application. Apple gives credit to Joshua Belsky for reporting this issue.

Other flaws are fixed in Exchange, ImageIO, Unicode, IPSec, MPEG-4 Video Codec, Profiles, Telephony, and a further 20 flaws in WebKit.

Besides these security updates, the iPhone 3.0 offers many new features, read our iPhone 3.0 review to find out how the 3.0 update will transform your iPhone with a fantastic new cut and paste function, MMS, AutoFill login, widescreen keyboard. Plus push notification and other developer tools that promise to take apps in a completely new direction.