Categories
iPhone

iPhone Update 1.0.1 Released

iphone.jpg
With the iPhone about a month into its product cycle, Apple has just released the first firmware update for the best-selling handset.
According to Gizmodo, the update, which is available through iTunes, makes the following changes and adds the following features:
Safari
Impact: Visiting a malicious website may allow cross-site scripting.
Description: Safari’s security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
Safari
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution.
Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
Click the jump for the full story…


iphone.jpg
With the iPhone about a month into its product cycle, Apple has just released the first firmware update for the best-selling handset.
According to Gizmodo, the update, which is available through iTunes, makes the following changes and adds the following features:
Safari
Impact: Visiting a malicious website may allow cross-site scripting.
Description: Safari’s security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
Safari
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution.
Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
WebCore
Impact: Visiting a malicious website may allow cross-site requests.
Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
WebKit
Impact: Look-alike characters in a URL could be used to masquerade a website.
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
WebKit
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution.
Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
Other tidbits include the fact that the firmware may be working against changes made by the group(s) working to hack and unlock the iPhone. This is currently being explored.
Additional tidbits include the following:
-There seems to be other bug fixes, not only security.
-YouTube lists work.
-The “This Week” tab under “Most Popular” in the YouTube application is fixed: it no longer duplicates the contents of the “All Time” tab.
-Microsoft Exchange folders now appear to show up correctly.
-Applications such as Mail, Address Book and Music Player appear to have been altered on the back end, even if no changes appear readily visible.
Further details will be posted as they become confirmed and available.
This is something we’ve been waiting for a long time and can’t really gauge without your feedback, guys. If you have the time today, install the update and tell us what happens (good or bad) in the comments or forums.