iPhone OS 3.0 Has a Huge Security Side

Apple addresses almost 40 security issues with iPhone OS versions 1.0 through 2.2.1

  Apple Support document logo
Upon releasing the latest version of the iPhone OS, Apple posted a Support document outlining some of the security issues the update addresses, including CoreGraphics, Exchange, Mail and Safari bugs. In total, Apple has patched 38 holes in the operating system, some of which are detailed below.

Exchange

Available for iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Apple claims that connecting to a malicious Exchange server may lead to the disclosure of sensitive information. The description of the vulnerability then follows as such:

Description: Accepting an untrusted Exchange server certificate results in storing an exception on a per-hostname basis. On the next visit to an Exchange server contained in the exception list, its certificate is accepted with no prompt and validation. This may lead to the disclosure of credentials or application data. This update addresses the issue through improved handling of untrusted certificate exceptions. Credit to FD of Securus Global for reporting this issue.

Mail

A couple of mail issues are also listed in the Support document comprising the numerous problems affecting iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1. One of those impacts the OS via “an application that causes an alert to apear [sic.] may initiate a phone call without user interaction.” The bug’s full description is available below.

Description: If an application causes an alert to apear [sic.] while Mail's call approval dialog is shown, the call will be placed without user interaction. This update addresses the issue by not dismissing the call approval dialog when other alerts appear. Credit to Collin Mulliner of Fraunhofer SIT for reporting this issue.

Safari

With the help of Joshua Belsky, Apple found that, “Clearing Safari's history via the Settings application does not prevent disclosure of the search history to a person with physical access to the device.” In broader terms, Apple explains that...

...Clearing Safari's history via the Settings application does not reset the search history. In this case, another person with physical access to the device may be able to view the search history. This update addresses the issue by removing the search history when Safari's history is cleared via the Settings application. Credit to Joshua Belsky for reporting this issue.

iPhone OS 3.0 delivers more than 100 new features, including Cut, Copy and Paste, MMS, Spotlight Search, Landscape Keyboard, expanded parental controls for TV shows, movies and apps from the App Store, video-recording and editing capabilities, the ability to capture and send audio recordings on the go with the new Voice Memo app, the ability to wirelessly download movies, TV and audio programs and an enhanced version of iTunes and iTunes U.

Visit Apple here to learn more about the security content of iPhone OS 3.0.

Comments

By    18 Jun 2009, 09:25 GMT