Apple patches FaceTime redirect security hole in iPhone

Apple patches FaceTime redirect security hole in iPhone

Summary: The iOS 4.1 update includes fixes for a total of 24 documented security holes, most in the open-source WebKit rendering engine.

SHARE:

Apple's iPhone 4 contains a security hole that allows hackers in a privileged network position to redirect FaceTime video calls.

The security vulnerability, just patched with the latest iOS 4.1 for iPhone and iPod touch, occurs because of an issue in the handling of invalid certificates, Apple said in an advisory.

The iOS 4.1 update includes fixes for a total of 24 documented security holes, most in the open-source WebKit rendering engine.

The WebKit flaws could be exploited to take complete control of iPhones or iPod touch devices that are lured to maliciously rigged Web pages.

The patch also fixes a user interface accessibility vulnerability in the  settings panel for Location Services. This may cause the VoiceOver feature to not announce the presence of the location services icon that is shown next to an application that has requested the user's location within the last 24 hours.

It also fixes a memory corruption issue in the handling of TIFF images. Processing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution, Apple said.

Topics: Apple, Browser, Hardware, iPhone, Mobility, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Blaming Open Source Webkit Engine Instead Apple's Platform Version...

    ..... just plain asinine! Sorry... but it this was true the vulnerabilities would be seen across all Internet software that uses Webkit (KHTML Browser Engine from KDE) as a basis of their design. As we all know that's NOT SO!

    Otherwise KDE Konqueror, Opera Browser, Chrome, and countless others would be in deep doodoo too!

    Put the freaking blame where it belongs..... in CrApple poor implementation of the Webkit Engine. Which btw.... they are responsible for being one of the main developer on the project. So if you are going to blame someone..... don't divorce that blame from the one who had the biggest hand in making in the first place!
    i2fun
    • RE: Apple patches FaceTime redirect security hole in iPhone

      @i2fun@...
      Once again showing your complete and utter ignorance.
      First, Apple is not "one of the main developer [sic]" of webKit, they are THE main developer. The vast majority of WebKit code came from Apple, NOT the founding Konqueror.
      Second, no, Konqueror, Opera, Chrome, etc. would NOT necessarily be affected, even if the flaw was in their code, because, without something similar to FaceTime, they are NOT passing around similar data packets on their network. Besides which, you have no proof they are NOT affected, do you?

      So go ahead and start your juvenile name calling (just like kids in kindergarten do, making rhyming names) and I'll call you out in advance for not actually making any substantive comment to the points made, as this is your Modus Operandi.
      DeusXMachina
      • Oh... so Apple owns KDE now.... eh? haha

        NT
        i2fun
        • Re: Oh... so Apple owns KDE now.... eh? haha

          @DeusXMachina You are one of the biggest fools on ZDNet! ....no harm though we all know you at least wish you were on their payroll. lolz...

          To my understanding the Open Source writers of the original underlying protocols and language, are who contributed the most to this Open Source Project. That CrApple at first refused to give back to under the license agreement after creating Safari with it. Only by being publically rebuked did they finally fork back improvements into the project.

          The main reason these other projects wouldn't be affected is quite simple. If.... you're not blinded by the CrApple Egomaniac Steve Jobs's arrogance and self justification of his own greedy objectives!

          And not having Facetime is precisely why these other programs and Operating Systems don't have any of these Security Holes!

          btw.... have you ever taken the time to realize that it's not the Browsers themselves that are affected by these vulnerabilities in the OS structure? That these days mobile OS's are actually built around browser as the central part of the OS. In this case that is actually built on KDE's KHTML protocols, stack and Web access. But the problem is not in the KHTML code itself. But rather Apple's own poor integration and implementation of it into the iOS kernel!

          I know you're a little too dense to figure that all out. So you'll just go on believing that Apple owns Webkit because they used it's KDE KHTML Engine as the basis to write their Web Browser on, solely for Facetime.... lolz..... you are one of the most hilarious dudes ever! haha... Love ya Bro!
          i2fun
      • And Doozy.... for your Info, Ryan purpose in mentioning TIFF...

        @DeusXMachina images here is because he's obviously on CrApple's Payroll and simply taking a shot at Adobe since they now own "TIFF" format. So just another way to reinforce both your loyalties as Apple's most fanatical iFans!

        Just remember if KDE actually wrote KHTML and started the Webkit project as they did using their code then that simply means Safari was created based on KDE's Konqueror Engine. But then Apple couldn't claim it as totally their creation. Which it's not!

        So based on all CrApple iFan and iFad ignorance, Apple only claims problems are KDE's Webkit project's fault. The credit for the good stuff will always belong to CrApple!!! haha...
        i2fun
      • RE: Apple patches FaceTime redirect security hole in iPhone

        @i2fun<br>First, grow up. The infantile name calling does not make ME look bad, it only reflects on you and your juvenile makeup.<br>Second, your "understanding" notwithstanding, you are wrong. At this point the LARGEST contributor to WebKit is Apple. Period. This is not a debatable point. You just need to visit the change logs. Just because it is based on the KHTML foundation does NOT say ANYTHING about code proportions.<br><br>"That CrApple at first refused to give back to under the license agreement after creating Safari with it. Only by being publically rebuked did they finally fork back improvements into the project."<br><br>Again, you are wrong, and know nothing about which you speak. The issue had NOTHING to do with refusal to give back code, it had to do with the difficulty of access to the aforementioned change logs for webCore and the JavaScript engines. In response, Apple moved them to OpenDarwin.<br><br>In fact, if you had known ANYTHING about the subject you would have known to criticize Apple for keeping all non-rendering code proprietary. Then again, the idea of you as open source champion is pathetic.<br><br>"The main reason these other projects wouldn't be affected is quite simple. If.... you're not blinded by the CrApple Egomaniac Steve Jobs's arrogance and self justification of his own greedy objectives!"<br><br>Again, no. If you had BOTHERED to do even a cursory examination of the issue, you would have seen that the certificates involved are specific to FaceTime, and as such, only effect the iPhone and iPod Touch. That said, you would have had a valid concern, but still been in error, if you had discussed the other security issues, which, contrary to your quoted errata, DO effect the other WebKit browsers. Guess what happened after the update? That's right, Chrome received an update. Care to guess what was in it?<br><a href="http://googlechromereleases.blogspot.com/?source=ln" target="_blank" rel="nofollow"><a href="http://googlechromereleases.blogspot.com/?source=ln" target="_blank" rel="nofollow"><a href="http://googlechromereleases.blogspot.com/?source=ln" target="_blank" rel="nofollow">http://googlechromereleases.blogspot.com/?source=ln</a></a></a><br><br>"And not having Facetime is precisely why these other programs and Operating Systems don't have any of these Security Holes!"<br><br>Again, as I just demonstrated you are in error.<br><br>"That these days mobile OS's are actually built around browser as the central part of the OS."<br><br>Thanks for making it clear you understand neither mobile OSes in general, or iOS in specific. It makes reading your pablum that much easier. Please explain, if this is true, why WebKit had to be PORTED to iOS!!!<br><br>"But the problem is not in the KHTML code itself. But rather Apple's own poor integration and implementation of it into the iOS kernel!"<br><br>Oh really?!? Care to provide a SINGLE citation to back that up?<br><br>"So you'll just go on believing that Apple owns Webkit because they used it's KDE KHTML Engine as the basis to write their Web Browser on, solely for Facetime.... lolz"<br><br>Being that I neither said any of that, nor can it be inferred from what I DID say, I fail to see your point. Other than that you are an idiot.<br><br><Stupid irrelevant rambling about Adobe ignored><br><br>"Just remember if KDE actually wrote KHTML and started the Webkit project as they did using their code then that simply means Safari was created based on KDE's Konqueror Engine. But then Apple couldn't claim it as totally their creation. Which it's not!"<br><br>Please provide a citation to where Apple EVER makes this claim. In fact, they go out of their way to credit KHTML, and its open source links and roots. But Primer: KHTML is NOT WebKit, which came later, and KDE did NOT start the WebKit project. WebKit WAS created by Apple, as it was a fork of the KHTML source specifically by Apple, and made available for any platform, unlike the original Konqueror.<br><br>That does not mean that Apple are the sole devs, however, and no one claims they are, except for you whilst spouting straw man nonsense. Google, KDE, Bitstream, even Nokia have contributed code, but by FAR the largest contributor is Apple.<br><br>Please explain, pray tell, how exactly KHTML managed to pass Acid 2.<br><br>Please also explain how KHTML relates to WebKit2, which was designed, by Apple, from the ground up.<br><br>"So based on all CrApple iFan and iFad ignorance, Apple only claims problems are KDE's Webkit project's fault. The credit for the good stuff will always belong to CrApple!!! haha..."<br><br>And here you make your ignorance and absolute bias plain as day!<br><br>1) WebKit is NOT KDE's. Period. This is not a debatable point. In fact, the difference between them was one of the issues central to the dispute you yourself mentioned above.<br><br>2) You contradict yourself, here, and are too dense to notice. You just finished frothing at the mouth about how WebKit is KDE's and not Apple's, and that Apple incorrectly claims WebKit as their own, but go on to say that Apple is trying to deflect blame to KDE, by putting the onus on WebKit. You can't have it both ways. If Apple claims WebKit is their own, then blaming the issues on WebKit is Apple blaming themselves, and taking responsibility. Or are you too daft even to see that?
        DeusXMachina