iPhone 3GS from AT&T. Free Shipping
Apple: iPhone OS 3.0 plugs 46 security bugs
Apple has issued an advisory regarding security enhancements included in the iPhone OS 3.0 release Wednesday.
(Credit:
Apple)
Here is a synopsis of the 46 iPhone security vulnerabilities addressed by the latest operating-system update for the iPhone and iPod Touch. As may be expected, many of these security patches focus on the Web-browsing framework WebKit.
CoreGraphics Changes to CoreGraphics prevent maliciously crafted image and PDF files from causing unexpected application termination or arbitrary code execution; vulnerabilities causing the same problems in FreeType v2.3.8 were also patched.
Exchange Changes were made to prevent a user from connecting to a malicious Exchange server that could lead to the disclosure of sensitive information by adding improvements to the handling of untrusted certificate exceptions.
ImageIO Changes to ImageIO prevent the use of maliciously crafted PNG images from causing unexpected application termination or arbitrary code execution.
International Components for Unicode Changes to Unicode prevent the use of maliciously crafted content that may bypass Web site filters and result in cross-site scripting.
IPSec Changes to IPSec patch multiple vulnerabilities in the racoon daemon that may lead to a denial-of-service attack.
Libxml Changes to XML library Libxml patch multiple vulnerabilities in Libxml2 version 2.6.16.
Mail Changes were made to the Mail app to give users control over the loading of remote images in HTML messages (see below). Additionally, the app was changed to prevent an application from causing an alert to appear that may be used to initiate a phone call without user interaction.
MPEG-4 Video Codec Changes to the MPEG-4 Video Codec will prevent the viewing of maliciously crafted MPEG-4 video files that may lead to an unexpected device reset.
Profiles Changes to Profiles will prohibit the installation of a configuration profile that may weaken the passcode policy defined by Exchange ActiveSync.
Safari Changes to Safari support the clearing of Safari's history via the Settings application, allowing prevention of disclosure of the search history to a person with physical access to the device. Now search history is actually removed. Additionally, if a user were to interact with a maliciously crafted Web site, a patch has been put in place to prevent unexpected action on another site such as "clickjacking."
Telephony Changes to Telephony address a problem in which a remote attacker may cause an unexpected device reset.
WebKit Changes to Web-browsing framework WebKit were very numerous in this release, given how popular the iPhone has become for Web use. They included many fixes to prevent arbitrary code or script execution, when visiting maliciously crafted Web sites. Some of these vulnerabilities could lead to app crashes and unexpected device resets, or the disclosure of sensitive information.
Previous coverage: Security updates in iPhone OS 2.2.
an article showing how many security holes they've patched, talk about spiteful rain on your parade.
Good thing you don't do this for Microsoft, you'd be here all week
Let us know if that works for you.
Yes, if it won't rotate to landscape mode then something is futzed. Check the Apple Forums, you can usually get help from power user there. Search first, the problem may already be addressed and solved. http://discussions.apple.com/index.jspa
Keep us updated.
Gotta run for now
Landscape mode does work across app in 3.0 udpate
Actually use the iPhone or just enjoy being a 'hater.'
Please keep at it, Apple. These are only the security holes that you have reported publically that have been fixed. I'm sure there are others that you aren't talking about that are still out there yet to be addressed.
sheesh
it's just that the software is so unreliable and full of holes to begin with
also here in Apple's case most of the holes aren't serious or critical
which you can thank the UNIX core for !
and how many reports of Iphone malware have we heard about till now ? zero !
Not to be rude, but I'm afraid you're mistaken on practically every single point you've made here. If you don't mind, I'm going to use the quote-rebut tactic to address each one individually...
"well to be fair to Microsoft they actually do a good job patching the holes it's just that the software is so unreliable and full of holes to begin with"
>>>>I'm not sure what you mean by "unreliable," unless you're insinuating that Windows is unstable. With the exceptions of Me and 3.x, I'd have to contend that, unlike Mac OS, Windows does NOT have problems out of the box. Having a computer wake from standby because of an open browser is unacceptable from where I stand; I use standby almost all the time, so I may continue later what I'm working on. Yet Mac users somehow learn to overlook and live with this. Also, Windows problems tend to be easier to search through Google; Mac problems are more like phantom bugs for which too many requests for help go unanswered in forums.
As far as being full of holes, this goes for all operating systems. And according to security researchers, they're easiest to find in OS X. According to Dino Dai Zovi, hacking Apple is "fun," while hacking Windows Vista is "hard work." That said, Windows is a bigger business, and that's where the vast majority of bug hunters will continue to focus their efforts.
"also here in Apple's case most of the holes aren't serious or critical which you can thank the UNIX core for"
>>>>Either you haven't read this blog, or you didn't understand the context of the security bulletins. We have the possibility of arbitrary code execution from a PNG image (plenty of which you'll find on the Web), we have clickjacking, and we have drive-by downloads from scripts and hostile Web pages. Why would these vulnerabilities be anything less than serious? Because nobody in Russia or China cares about Apple? Ridiculous! You sound like a pig in a suburban straw house, scoffing at the big bad wolf because there are so many more pigs in town. Meanwhile, Vista users and XP users who lock the kernel or use sandboxes and/or browser protection are living in brick houses. We have a lot more options.
"and how many reports of Iphone malware have we heard about till now ? zero !"
>>>>It's sad to me how many Mac users confuse status quo with inherent security. In case no one has ever told you this before, the reason so many people write malware is because they make money from spamming, click fraud, pump 'n' dump stock transactions, and identity theft. The reason they write malware mostly for Windows is because 9 out of 10 machines run Windows, and about 7 of those 9 will be running XP, which is easy pickings unless a user knows how to properly secure it.
That said, the reality is that the Mac's security is equivalent to a limited user account in XP, without the restrictions on usability. The Mac requests authentication whenever a new program is about to be installed, as does Vista's UAC, or XP when you use the "Run as" context menu option (Vista and the upcoming Windows 7 have much more than authentication, however). Unfortunately, the Mac's authentication mechanism basically only works against executables, as does a limited account in XP; Web content gets right past it with a parent program's permissions. Dino Dai Zovi pwned a Mac with a drive-by download in 2007, and Charlie Miller followed suit in 2008 and 2009, long after pwning the iPhone itself. According to this article, iPhone hacking is child's play, literally: http://www.v3.co.uk/vnunet/news/2206880/old-spawns-iphone-malware
Please excuse the fact that some of my words may seem a bit strong. But I worry about everyone's cybersecurity, not just that of Windows users. We have an iBotnet out there now, as well as four drive-by downloads that have been demonstrated on the Mac, one publicly: http://landonf.bikemonkey.org/ If Windows 7 proves to be an XP killer as is being prophesied, and if Grisoft, Alwil, and Avira implement effective browser protection technologies in their products as McAfee and Symantec have done; then hackers will eventually find that there are far fewer fish in the ponds they've been fishing. And you can't make a botnet of millions through social engineering alone, so they'll have to look for a pond where the fish are still "biting" on Web exploits. Both the Mac and the iPhone will.
I suggest you continue to pay attention to the security blogs at CNET, and keep track of which way the underworld is moving. As it were, there's almost as much talk about Mac security as there is about Windows security now, and most of the talk about Windows security concerns pre-Vista OSes. The very first time you see anything about an "In the Wild" (ItW) drive-by download for Apple, or any form of attack in the wild that compromises the Mac without user intervention, you might want to warm up to third-party security software. Hope this helps!
2. There is some sort of accounting rule that requires them to charge iPod Touch owners for the upgrade. It was cussed and discussed quite a bit when iPhone OS2 came out.
Touch users have from day one pretty much been second class citizens compared to the iPhone, even though they paid more for the hardware directly than any iPhone buyer has.
Just... get used to it as a Touch owner; I have. You have to pay for each OS upgrade.
No, its more like upgrading from XP service pack 1 to SP2 (or 3).
OS 3 is NOT a brand new OS with new and amazing features. It barely qualifies as a service pack update.
But since its Apple, it can do no wrong and everyone will cheer for them no matter what they do.
P.S. I dno't care if they charge 10 bucks for updated OS, but they should also offer security patch for free. I mean seriously, what if Microsoft offered their secority patches only with new service packs that you had to pay for? I can understand not wanting to upgrade to OS3 and paying, and thats fine because its your choice. But secority fixes are a different story.... and that is some BS
-
by syops1
June 18, 2009 2:27 PM PDT
- Bug added to Iphone 3.0 Safari. Drop down menus are unusable on most web sites.
-
Reply to this comment
-
(25 Comments)