Apple patches months-old iPhone, iPod touch bugs

All but two of the bugs affected Safari or WebKit, the open-source code that provides Safari's core engine.

Apple patched 13 vulnerabilities in the iPhone and iPod touch last Friday, including several it had fixed in Mac OS X or the Safari Web browser as long ago as March.

Six of the 13 bugs were tagged with the phrase "arbitrary code execution," which Apple uses to denote the most serious vulnerabilities. Other operating system vendors, such as Microsoft, typically label such flaws "critical" in their threat rating systems.

All but two of the bugs affected Safari or WebKit, the open-source code that provides Safari's core engine.

Several of the Safari and WebKit patches for the iPhone and iPod touch had been released by Apple earlier -- sometimes months earlier -- comparisons with previous security advisories and searches on the CVE (Common Vulnerabilities and Exposures) database indicated. According to Computerworld's analysis, five of the 13 iPhone/iPod touch fixes were for vulnerabilities previously patched in Mac OS X or Safari in between March and June.

That lag caught the attention of one security professional, who criticized Apple's inability to update Safari across its product lines. "Putting out a security update on the same day that it launched [iPhone 2.0] shows that they knew they were already behind," said Andrew Storms, director of security operations at nCircle Network Security Inc. "Charlie Miller beat the drum on this, asking if anyone realized that there were a number of unpatched vulnerabilities on the iPhone. A lot of people hadn't thought of that because we were looking forward to iPhone 2.0.

"But Apple put us in a situation of being vulnerable," he said.

Other vulnerabilities patched by Apple on Friday had been addressed by other vendors months, or in one case, years, before. A Safari cross-site scripting vulnerability patched Friday, for example, had been fixed in early June 2006 -- more than two years ago -- by Mozilla Corp. in an update to its then-current Firefox 1.5 browser.

Storms blasted Apple's patching practice, saying that the reality didn't match the company's talk. "They're the ones telling us that they're working toward a unified platform," said Storms. But based on the slow patching for the iPhone's vulnerabilities, he questioned whether that's true. "We've been working on the supposition that the iPhone firmware is OS X-based, and same-code based. If that's the case, Apple should be able to update one, and easily update other [versions] of Safari.

"Either [the iPhone and Mac operating systems] are not the same code base or their business groups can't coordinate releases," he argued.

At least one of the just-patched vulnerabilities has had an available exploit since February. Tagged with the CVE identifier 2008-0177, the flaw, which was fixed in late May by Apple as part of a massive 40-patch update to Mac OS X, was pinned with an exploit as early as Feb. 24.

iPhone and iPod touch owners can obtain the security patches by downloading and installing the 2.0 firmware, which is available via Apple's iTunes.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?