Zero Day

Ryan Naraine, Dancho Danchev & Adam O'Donnell

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio; Adam’s Bio

July 3rd, 2008

Apple caught neglecting iPhone security

Posted by Ryan Naraine @ 11:37 am

Categories: Patch Watch, Apple, Browsers, Vulnerability research, Exploit code, Data theft, Open source, Pen testing, Metasploit, Wi-Fi security, Arbitrary Code Execution, Mobile (In)Security

Tags: Ryan Naraine

Apple neglecting iPhone security? If you’re waiting on iPhone 2 to standardize your business on the awesome new device (yeah, I’ll be on line to buy one), you might want to pay attention to the conspicuous absence of iPhone security patches over the last four months.

As WaPo’s Brian Krebs reports, the iPhone runs a stripped down version of Mac OS X but, even though OS X security updates are coming fast and furious, the iPhone has been neglected.

This means that there are multiple serious iPhone code execution flaws — including the CanSecWest Safari contest bug — that remains unpatched.

Krebs writes:

In seeking confirmation of this, I spoke recently with Charlie Miller, one of the foremost OS X and iPhone security researchers. Miller confirmed that the iPhone updater tells users that if they have version 1.1.4 installed then they are running the most current version. The problem is that this update does not include fixes for a slew of security holes in the Safari Web browser and other OS X components upon which the iPhone relies heavily.

“Apple should either update their software like they do with the core operating system, or otherwise don’t advertise the fact that the iPhone checks for updates every week,” Miller said. “Right now, an iPhone user is going to think they’re up-to-date because there’s no patch available, but the reality is that users are only as secure as they were back in February.”

Even more worrisome, Miller has created a tool to exploit the Safari vulnerability on an iPhone.

Using the exploit, an attacker who convinces an iPhone user to click on a malicious link could steal the victim’s call records or contacts, send text messages or read the user’s sent and received messages, and make outgoing calls, among other things.

There’s also an iPhone zero-day floating around out there.

So, if you love your iPhone like I do, consider sending Apple a note (<product-security@apple.com>) and let them know that this neglect is unacceptable.

* Image source: oskay’s Flickr photostream (Creative Commons 2.0).

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Talkback
Most Recent of 24 Talkback(s)

Thread View
Flat View

The Three Stooges at ZDNet: Could three guys be more blatantly biased and dishonest? I think not. Windows has been vulnerable to attack since day one. PC's are more vulnerable to attack then Macs mostly in part due to market sha... (Read the rest); Posted by: 3dtodd Posted on: 07/25/08 You are currently: Logged In | Log out