Apple has shipped a patch to cover five documented vulnerabilities that expose iPhone and iPod Touch users to malicious hacker attacks.
The most serious flaw could allow remote code execution if an iPhone/iPod Touch user opens audio and image files.
Here's the skinny on the vulnerabilities being patched with this iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod Touch update:
CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF
images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
Recovery Mode (CVE-2010-0038) -- A memory corruption issue exists in the handling of a
certain USB control message. A person with physical access to the device could use this to bypass the passcode and access the user's data.
WebKit (CVE-2009-3384) -- Multiple input validation issues exist in WebKit's handling of FTP directory listings. Accessing a maliciously crafted FTP server may lead to information disclosure, unexpected application termination, or execution of arbitrary code.
WebKit (CVE-2009-2841) -- When WebKit encounters an HTML 5 Media Element pointingto an external resource, it does not issue a resource load callback to determine if the resource should be loaded. This may result in undesired requests to remote servers. As an example, the sender of an HTML-formatted email message could use this to determine that the message was read.
This iPhone/iPod Touch update is only available through iTunes and will not appear in the software update utility available in Mac and Windows systems.