Apple patches months-old iPhone, iPod touch bugs

All but two of the bugs affected Safari or WebKit, the open-source code that provides Safari's core engine.

Apple patched 13 vulnerabilities in the iPhone and iPod touch last Friday, including several it had fixed in Mac OS X or the Safari Web browser as long ago as March.

Six of the 13 bugs were tagged with the phrase "arbitrary code execution," which Apple uses to denote the most serious vulnerabilities. Other operating system vendors, such as Microsoft, typically label such flaws "critical" in their threat rating systems.

All but two of the bugs affected Safari or WebKit, the open-source code that provides Safari's core engine.

Several of the Safari and WebKit patches for the iPhone and iPod touch had been released by Apple earlier -- sometimes months earlier -- comparisons with previous security advisories and searches on the CVE (Common Vulnerabilities and Exposures) database indicated. According to Computerworld's analysis, five of the 13 iPhone/iPod touch fixes were for vulnerabilities previously patched in Mac OS X or Safari in between March and June.

That lag caught the attention of one security professional, who criticized Apple's inability to update Safari across its product lines. "Putting out a security update on the same day that it launched [iPhone 2.0] shows that they knew they were already behind," said Andrew Storms, director of security operations at nCircle Network Security Inc. "Charlie Miller beat the drum on this, asking if anyone realized that there were a number of unpatched vulnerabilities on the iPhone. A lot of people hadn't thought of that because we were looking forward to iPhone 2.0.

"But Apple put us in a situation of being vulnerable," he said.

Other vulnerabilities patched by Apple on Friday had been addressed by other vendors months, or in one case, years, before. A Safari cross-site scripting vulnerability patched Friday, for example, had been fixed in early June 2006 -- more than two years ago -- by Mozilla Corp. in an update to its then-current Firefox 1.5 browser.

Storms blasted Apple's patching practice, saying that the reality didn't match the company's talk. "They're the ones telling us that they're working toward a unified platform," said Storms. But based on the slow patching for the iPhone's vulnerabilities, he questioned whether that's true. "We've been working on the supposition that the iPhone firmware is OS X-based, and same-code based. If that's the case, Apple should be able to update one, and easily update other [versions] of Safari.

"Either [the iPhone and Mac operating systems] are not the same code base or their business groups can't coordinate releases," he argued.

At least one of the just-patched vulnerabilities has had an available exploit since February. Tagged with the CVE identifier 2008-0177, the flaw, which was fixed in late May by Apple as part of a massive 40-patch update to Mac OS X, was pinned with an exploit as early as Feb. 24.

iPhone and iPod touch owners can obtain the security patches by downloading and installing the 2.0 firmware, which is available via Apple's iTunes.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?