Apple Heals Holes in iPhone, Mac OS, Safari

Apple has issued three batches of software updates and fixes for its popular iPhone, Mac OS X operating system and the Safari 3.03 browser beta.

The iPhone fixes address a pair of Safari-related vulnerabilities that came up almost immediately after the phone’s release, plus three more that were not disclosed.

A security firm called Independent Security Experts (ISE) first uncovered iPhone vulnerabilities last month and informed Apple  of its findings. ISE planned to demonstrate what it found at the Black Hat security conference this week in Las Vegas.

Two of the fixes address cross-site scripting problems, one by preventing JavaScript in remote Web pages from modifying pages outside of their domain, the other by fixing an HTTP injection issue in XMLHttpRequest. Apple credited Richard Moore of Westpoint Ltd. for reporting the issue.

Apple credited the ISE crew for pointing out a heap buffer overflow problem in the Perl Compatible Regular Expressions (PCRE) library, while Apple thanked Tomohito Yoshino, of Business Architects, for reporting an error in the International Domain Name (IDN) that allows for fake URL addresses in fonts that contain look-alike characters.

Finally, Apple credited Rhys Kidd for reporting a remote code execution flaw that allows an invalid type conversion when rendering frame sets could lead to memory corruption.

The update is only available through iTunes and will not appear in a Macintosh Software Update application or in the Apple Downloads site. Amol Sarwate, research manager at vulnerability management company Qualys, said that’s the nature of embedded devices.

This is a common issue for any embedded device that runs off-the-shelf browsers. “Unfortunately, because of the way they are architected, that’s currently the only way to update the devices,” he explained.

For security and bandwidth reasons, fixes and updates are not sent down over the network. Rather, the device must be connected to a computer and the patches downloaded to a PC or Macintosh. GPS devices, for example, have to be updated the same way.

Because of this, Sarwate said that people he knows at the Black Hat conference have their iPhones off, because if there’s any place where people are liable to monkey with security problems it will be at the Black Hat gathering.

While he hasn’t dug into the fixes, Sarwate said it looks like everything is covered.

“Before, we knew of two vulnerabilities, and they fixed five. I’m impressed with Apple to turn it around this quickly. If you think of the time needed to write the code and test it properly they did a good job turning it around in this short amount of time,” he said

iPhone wasn’t the only Apple product that needed some patching.

Apple also issued 25 fixes for Mac OS X 10.3.9 and 10.4.10, addressing networking and audio functions, Kerberos security and vulnerabilities in PHP and Tomcat, plus numerous Web-based cross-site scripting and remote code execution vulnerabilities.

For the Safari 3 beta, Apple issued four fixes, two of which are the same fix as found in the iPhone. Another patch fixes a flaw that prevents Java applets from loading should the user have Java disabled. Finally, there is a Windows XP fix that handles buffer overflows when adding a new URL to the favorites list.

News Around the Web