Apple patches 10 iPhone security holes

Summary:Apple has shipped an iPhone software update to patch 10 different vulnerabilities that could allow malicious hackers to launch executable code, steal e-mail credentials or take control of the device's phone-dialing capabilities.

Apple patches 10 iPhone security holes
Apple has shipped an iPhone software update to patch 10 different vulnerabilities that could allow malicious hackers to launch executable code, steal e-mail credentials or take control of the device's phone-dialing capabilities.

The mega-patch, which shipped today as iPhone v1.1.1, patches seven holes in Safari, a code execution and denial-of-service bug in Bluetooth, and two flaws affecting the built-in Mail service.

The skinny, via Apple's advisory:

Bluetooth (CVE-2007-3753) -- An input validation issue in the iPhone's Bluetooth server could allow the use of maliciously-crafted Service Discovery Protocol (SDP) packets to trigger an unexpected application termination or arbitrary code execution.

Mail (CVE-2007-3754 and CVE-2007-3755) -- When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. An attacker capable of intercepting the connection may be able to impersonate the user's mail server and obtain the user's email credentials or other sensitive information. Separately, following a telephone ("tel:") link in Mail will dial a phone number without confirmation.

The seven Mobile Safari vulnerabilities -- which likely affect the desktop (Windows and Mac) versions of the browser -- range from disclosure of URL contents, dialing phone numbers with a confirmation dialog, cross-site scripting and the manipulation of the contents of documents served over HTTPS.

Michal Zalewski, the browser hacking guru recently hired by Google, is credited with reporting three of the Safari vulnerabilities.

In addition to the iPhone patches, Apple is expected to ship a monster Mac OS X update later today. This will include fixes for the year-old QuickTime code execution issue that made headlines recently.

Topics: Security, Apple, Browser, Collaboration, iPhone, Mobility, Networking, Operating Systems, Telcos, Wi-Fi

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.