Apple today released iPhone Software 1.0.1 update which includes bug fixes and supersedes all previous versions.
iPhone Software Update 1.0.1 is available via iTunes: Select iPhone in the Source pane and click the Summary tab. Click “Check for Update.”
iPhone v1.0.1 Update security content:
• Safari
CVE-ID: CVE-2007-2400
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site scripting
Description: Safari’s security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
• Safari
CVE-ID: CVE-2007-3944
Available for: iPhone v1.0
Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
• WebCore
CVE-ID: CVE-2007-2401
Available for: iPhone v1.0
Impact: Visiting a malicious website may allow cross-site requests
Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
• WebKit
CVE-ID: CVE-2007-3742
Available for: iPhone v1.0
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
• WebKit
CVE-ID: CVE-2007-2399
Available for: iPhone v1.0
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
Yo MDN, where’s the love? – lol
any specifics? the phone doesn’t feel different…
A Bit of a dis appoint ment No?
This is a security update only; you won’t get any new features. Apple doesn’t claim any performance improvements either, though I’ll be damned if JavaScript in Safari doesn’t appear to be running better.
Maybe it just fixes the hacker hole?
The first security update of many. This phone is going to be attacked like no other, that’s why I’m waiting a year or so until the platform is stable to get one.
it breaks ifuntastic 🙁
I just installed the firmware update and suddenly my phone has a GPS! Not only that, it smells minty fresh!
Oh wait. It’s the drugs. Never mind…
Details are here:
http://docs.info.apple.com/article.html?artnum=306173
Interesting, after applying the update I now receive the following error message when connecting my new “Apple Bluetooth headset charging connector with the headset adaptor inserted into the charging port”
This accessory is not made to work with the iPhone
Would you like to turn on Airplane mode to reduce audio interference (you will not be able to make or receive calls)?
Also, the iPhone no longer indicates that the unit is charging the Apple Bluetooth headset.
Oh yes,
The phone no longer recognizes the Bluetooth device either.
This is a good sign that Appy will be all over the upkeep of this phone. We REALLY need an update for Exchange compatibility to use on an Exchange server (bastard MSers) and what is up with all the hype about youtube compatibility and Youtube taking their sweet time “optimizing” entries for the iphone?
Hamilton International Productions
Videographers in Las Vegas
http://www.hiproductions.com
The “not fully charged” battery indicator issue appears to be gone.
“The “not fully charged” battery indicator issue appears to be gone.”
if (BatteryCharge >90) BatteryCharge = 100;
That shouldn’t have taken too long….
Clearly Steve deliberately threw these vulnerabilities in so he could show how fast Apple can respond and fix them. Another brilliant strategic move by Apple!
To Quickfix,
Hope you’re not hoping to get a programming job at Apple’s with that line of code. Mircosoft on the other hand …
Think that Cadillac Ad covering half my screen in the middle of MDN’s page must be some kind of ‘virus’ since I can’t make it go away and didn’t ask for it to ‘jump out’ in the first place.
BC
What the heck’s a “source pane”? Where’s anyone used that term before? How would people know what that is?
not sure if posted yet… Bcc option now available on mail setting…thank goodness..