Feeds

Apple drags its heels on iPhone security patches

Waiting for the second coming

Top 5 reasons to deploy VMware with Tegile

Apple has failed to keep software for the iPhone up to date with patches available for its desktop PCs.

The latest version of the software for the iPhone, 1.1.4, came out in February and is essentially a pared-down version of Mac OS 10.5, according to security researchers. As a result the Jesus phone is still vulnerable to an exploit demonstrated by Charlie Miller at the CanSec West security conference back in March. Miller used a bug in Apple WebKit, as used in versions of Safari prior to version 3.1.1, to win a $10,000 prize in the "Pwn to Own" contest at the conference.

Apple issued patches for its desktop machines in April but is yet to patch the Jesus phone.

Miller told the Washington Post that he's created a tool that exploits this vulnerability in the version of Safari running on the iPhone. In the wrong hands the utility could allow the theft of call records or contacts, providing a user of the phone is tricked into opening a maliciously constructed link. The approach might also be used to make outgoing calls from the device.

Other vulnerabilities involving Safari and the iPhone are in the pipeline, though they are not as critical. Security researcher Aviv Raff has discovered a security bug in the software combination that might allow phishing attacks. Raff is withholding details of the fix pending a security update from Apple.

In related news, security firm MX Logic reckons that iPhone-related scams will occur if demand outstrips supply of 3G versions of the iPhone, due to begin arriving on 11 July. Security watchers speculate that Apple has been focused on developing software for the next generation of the iPhone rather than addressing problems with version 1.x of the iPhone software. ®

Intelligent flash storage arrays

More from The Register

next story
Mighty Blighty broadbanders beg: Let us lay cable in BT's, er, ducts
Complain to Ofcom that telco has 'effective monopoly'
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.