Apple delivers iPhone, iPod touch and QuickTime fixes with Macworld updates

Summary:Apple's software updates for the iPhone and iPod touch contain a few security fixes. Apple also patched QuickTime while it was at it.

Apple's software updates for the iPhone and iPod touch contain a few security fixes. Apple also patched QuickTime while it was at it.

On the heels of Apple CEO Steve Jobs' big Macworld performance Tuesday, the company slipped out a few security fixes. In an email alert, Apple noted that the iPhone v.1.1.3 software and the iPod touch v.1.13 include the following fixes.

CVE-2008-0035: This remedy plugs holes in iPhone software versions 1.0 through 1.1.2 and iPod touch v.1.1 and 1.1.2. The flaw allows a "maliciously crafted URL" to terminate an application or lead to an arbitrary code execution. The problem is largely related to Safari's handling of URLs.

CVE-2008-0034: Here Apple is plugging a flaw in iPhone software v.1.0 through v. 1.1.2 that allows an unauthorized user to bypass the passcode lock.

Apple says in its email alert:

The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

CVE-2007-5858: This patch fixes a Safari vulnerability that allows the disclosure of sensitive information when you visit a malicious Web site.

Meanwhile, Apple released QuickTime 7.4, which addresses three security vulnerabilities. Here's the list:

CVE-2008-0031: This patch is available for Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista and XP SP2. The problem: Vistiting a malicious movie file may lead to a crash or arbitrary code execution. The flaw was discovered by Jun Mao of VeriSign iDefense Labs.

CVE-2008-0032: Covers QuickTime on all of the aforementioned operating systems. Apple says the patch addresses a memory corruption issue that leads to the same problem as the previous flaw above. CVE-2008-0033 also is along the same lines.

CVE-2008-0036: Affects all operating systems. Apple says:

Opening a maliciously crafted PICT image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow may occur while processing a compressed PICT image. Opening a maliciously crafted compressed PICT file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by terminating decoding when the result would extend beyond the end of the destination buffer.

If Apple stays true to form Leopard fixes can't be too far behind.

Topics: Security, Apple, Hardware, iPhone, Mobility, Operating Systems, Software

About

Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.