Apple has failed to keep software for the iPhone up to date with patches available for its desktop PCs.

The latest version of the software for the iPhone, 1.1.4, came out in February and is essentially a pared-down version of Mac OS 10.5, according to security researchers. As a result the Jesus phone is still vulnerable to an exploit demonstrated by Charlie Miller at the CanSec West security conference back in March. Miller used a bug in Apple WebKit, as used in versions of Safari prior to version 3.1.1, to win a $10,000 prize in the "Pwn to Own" contest at the conference.

Miller told the Washington Post that he's created a tool that exploits this vulnerability in the version of Safari running on the iPhone. In the wrong hands the utility could allow the theft of call records or contacts, providing a user of the phone is tricked into opening a maliciously constructed link. The approach might also be used to make outgoing calls from the device.

Other vulnerabilities involving Safari and the iPhone are in the pipeline, though they are not as critical. Security researcher Aviv Raff has discovered a security bug in the software combination that might allow phishing attacks. Raff is withholding details of the fix pending a security update from Apple.

In related news, security firm MX Logic reckons that iPhone-related scams will occur if demand outstrips supply of 3G versions of the iPhone, due to begin arriving on 11 July. Security watchers speculate that Apple has been focused on developing software for the next generation of the iPhone rather than addressing problems with version 1.x of the iPhone software. ®

Related stories

• Hack-off contestant dubs Apple Safari 'easy pickins' (3 March 2009)
• Microsoft, Apple trumpet bevy of critical vulns (10 October 2008)
• iPhone secure enough for Japanese enterprise (7 October 2008)
• Jesus Phone vuln delivers fanboys to phishermen (6 October 2008)
• Apple fans besieged by iPhone Trojan and iTunes attack (19 September 2008)
• Apple releases bumper patch batch (16 September 2008)
• Mozilla security chief: Apple should open up (15 September 2008)
• Googlephone security team seeks bug hunters (20 August 2008)
• Mac users urged to ditch Safari (5 August 2008)
• Black Hat Apple reneges on Black Hat security talk (5 August 2008)
• Apple seeks iPhone reverse engineering expert (25 July 2008)
• iPhone Mail bug adds phishing danger (24 July 2008)
• Jobs bars 3G Jesus Phone sales at Canuck Apple Stores (8 July 2008)
• O2 starts 3G iPhone stampede - and runs away (7 July 2008)
• 3G iPhone not ready for the enterprise? (18 June 2008)
• Get 'em while they're hot: critical security fixes from Microsoft, Apple (10 June 2008)
• Firefox and Safari updates tackle alternative browser bugs (17 April 2008)
• Wi-Fi spoofing sends Jesus phone disciples off the true path (16 April 2008)
• CTIA Wireless Apple ignores Jesus Phone life raft (2 April 2008)
• CanSecWest Mac is the first to fall in Pwn2Own hack contest (28 March 2008)
• Teen hacker re-unlocks Apple's iPhone (11 February 2008)
• Jesus Phone needs an exorcist (24 July 2007)
• Security researchers poke holes in Safari (12 June 2007)