Apple patches months-old iPhone, iPod touch bugs

All but two of the bugs affected Safari or WebKit, the open-source code that provides Safari's core engine.

Apple patched 13 vulnerabilities in the iPhone and iPod touch last Friday, including several it had fixed in Mac OS X or the Safari Web browser as long ago as March.

Six of the 13 bugs were tagged with the phrase "arbitrary code execution," which Apple uses to denote the most serious vulnerabilities. Other operating system vendors, such as Microsoft, typically label such flaws "critical" in their threat rating systems.

All but two of the bugs affected Safari or WebKit, the open-source code that provides Safari's core engine.

Several of the Safari and WebKit patches for the iPhone and iPod touch had been released by Apple earlier -- sometimes months earlier -- comparisons with previous security advisories and searches on the CVE (Common Vulnerabilities and Exposures) database indicated. According to Computerworld's analysis, five of the 13 iPhone/iPod touch fixes were for vulnerabilities previously patched in Mac OS X or Safari in between March and June.

That lag caught the attention of one security professional, who criticized Apple's inability to update Safari across its product lines. "Putting out a security update on the same day that it launched [iPhone 2.0] shows that they knew they were already behind," said Andrew Storms, director of security operations at nCircle Network Security Inc. "Charlie Miller beat the drum on this, asking if anyone realized that there were a number of unpatched vulnerabilities on the iPhone. A lot of people hadn't thought of that because we were looking forward to iPhone 2.0.

"But Apple put us in a situation of being vulnerable," he said.

Other vulnerabilities patched by Apple on Friday had been addressed by other vendors months, or in one case, years, before. A Safari cross-site scripting vulnerability patched Friday, for example, had been fixed in early June 2006 -- more than two years ago -- by Mozilla Corp. in an update to its then-current Firefox 1.5 browser.

Storms blasted Apple's patching practice, saying that the reality didn't match the company's talk. "They're the ones telling us that they're working toward a unified platform," said Storms. But based on the slow patching for the iPhone's vulnerabilities, he questioned whether that's true. "We've been working on the supposition that the iPhone firmware is OS X-based, and same-code based. If that's the case, Apple should be able to update one, and easily update other [versions] of Safari.

"Either [the iPhone and Mac operating systems] are not the same code base or their business groups can't coordinate releases," he argued.

At least one of the just-patched vulnerabilities has had an available exploit since February. Tagged with the CVE identifier 2008-0177, the flaw, which was fixed in late May by Apple as part of a massive 40-patch update to Mac OS X, was pinned with an exploit as early as Feb. 24.

iPhone and iPod touch owners can obtain the security patches by downloading and installing the 2.0 firmware, which is available via Apple's iTunes.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?