Apple caught neglecting iPhone security

As WaPo's Brian Krebs reports, the iPhone runs a stripped down version of Mac OS X but, even though OS X security updates are coming fast and furious, the iPhone has been neglected.

This means that there are multiple serious iPhone code execution flaws -- including the CanSecWest Safari contest bug -- that remains unpatched.

Krebs writes:

In seeking confirmation of this, I spoke recently with Charlie Miller, one of the foremost OS X and iPhone security researchers. Miller confirmed that the iPhone updater tells users that if they have version 1.1.4 installed then they are running the most current version. The problem is that this update does not include fixes for a slew of security holes in the Safari Web browser and other OS X components upon which the iPhone relies heavily.

"Apple should either update their software like they do with the core operating system, or otherwise don't advertise the fact that the iPhone checks for updates every week," Miller said. "Right now, an iPhone user is going to think they're up-to-date because there's no patch available, but the reality is that users are only as secure as they were back in February."

Even more worrisome, Miller has created a tool to exploit the Safari vulnerability on an iPhone.

Using the exploit, an attacker who convinces an iPhone user to click on a malicious link could steal the victim's call records or contacts, send text messages or read the user's sent and received messages, and make outgoing calls, among other things.

There's also an iPhone zero-day floating around out there.

So, if you love your iPhone like I do,  consider sending Apple a note (<product-security@apple.com>) and let them know that this neglect is unacceptable.

* Image source:  oskay's Flickr photostream (Creative Commons 2.0).