Apple's software updates for the iPhone and iPod touch contain a few security fixes. Apple also patched QuickTime while it was at it.
On the heels of Apple CEO Steve Jobs' big Macworld performance Tuesday, the company slipped out a few security fixes. In an email alert, Apple noted that the iPhone v.1.1.3 software and the iPod touch v.1.13 include the following fixes.
CVE-2008-0035: This remedy plugs holes in iPhone software versions 1.0 through 1.1.2 and iPod touch v.1.1 and 1.1.2. The flaw allows a "maliciously crafted URL" to terminate an application or lead to an arbitrary code execution. The problem is largely related to Safari's handling of URLs.
CVE-2008-0034: Here Apple is plugging a flaw in iPhone software v.1.0 through v. 1.1.2 that allows an unauthorized user to bypass the passcode lock.
Apple says in its email alert:
The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.
CVE-2007-5858: This patch fixes a Safari vulnerability that allows the disclosure of sensitive information when you visit a malicious Web site.
Meanwhile, Apple released QuickTime 7.4, which addresses three security vulnerabilities. Here's the list:
CVE-2008-0031: This patch is available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista and XP SP2. The problem: Vistiting a malicious movie file may lead to a crash or arbitrary code execution. The flaw was discovered by Jun Mao of VeriSign iDefense Labs.
CVE-2008-0032: Covers QuickTime on all of the aforementioned operating systems. Apple says the patch addresses a memory corruption issue that leads to the same problem as the previous flaw above. CVE-2008-0033 also is along the same lines.
CVE-2008-0036: Affects all operating systems. Apple says:
Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by terminating decoding when the result would extend beyond the end of the destination buffer.
If Apple stays true to form Leopard fixes can't be too far behind.