Apple has just released iPhone OS 3.0.1 via iTunes.
iPhone OS 3.0.1 fixes an SMS vulnerability.
Products compatible with this software update:
• iPhone
• iPhone 3G
• iPhone 3GS
MacDailyNews Note: The download, at least for the iPhone 3GS, weighs in at 297.9MB.
To get and install the update:
• Make sure you are using iTunes 8.2. Connect your iPhone to your computer.
• When iTunes opens, select your iPhone under Devices in the Source List on the left.
• In the iPhone Summary pane, click Check for Update.
• Click Download and Install. Do not disconnect your iPhone until the update has finished.
“This morning, less than 24 hours after a demonstration of this exploit, we’ve issued a free software update that eliminates the vulnerability from the iPhone,” said Tom Neumayr, an Apple spokesman, in a statement. He said “no one has been able to take control of the iPhone to gain access to personal information using this exploit.”
MacDailyNews Take: Boom, that was even quicker than expected!
[Thanks to MacDailyNews Reader “JMS in TX” for the heads up.]
thanks for the patch, Apple but uh….claiming a 24 hour turnaround? yeah, but the dude told you about the exploit OVER A MONTH AGO.
mw: “serious” as in “serious BS”
You chowderheads, look closely. It’s 3.0.1. What this means is that it’s a right-right dot release. When Apple or anyone else issues a release llke this, it’s typically a malicious bug fix, NOT a fix for lower priority issues which I’m sire Apple will correct next month. The big issue is the SMS exploit. Everything else is irrelevant, bokay? You clowns make my head hurt.
@ TheConfuzed1 : “Spoken like someone who truly has no idea what he’s talking about”.
ooo, you certainly set me straight!
Moron.
If this hits the wild, you guys will be passing it back and forth amongst yourselves like drooling idiots.
“I really shouldn’t be effing these crack whores bareback, but there’s a really great ribbed condom coming out in a week or three- I’ll use protection then!”
Like I said, hilarious. Great theatre. Biblical, really- reaping what you sow- I almost hope it does happens.
… does happen.
@0 delicious what the he’ll are you talking about. FIGHT? Really reaping what you sow? wtf!
@ John
Re: “The researchers told Apple about this flaw, what, 6 weeks ago? Apple could have released this before the conference this week, rather than play chicken with the cracker community.”
Can you frigg’n read?”
“A day after security experts demonstrated a way to hack into Apple’s iPhone, the company released a software upgrade to fix the problem.” http://blogs.wsj.com/digits/2009/07/31/apple-addresses-hacker-threat-to-iphone/
Do you need somebody to explain it to you?
Do you need somebody to explain it to you?
You’re reading, but you’re not comprehending.
The security experts told Apple about the flaw weeks ago. This week, at a security conference, they told the world about the same flaw.
Apple had weeks, not 24 hours. The guys who identified the problem followed the proper protocol in giving the vendor time to address the issue before revealing what they’d learned. Basic stuff here.
@DanielM “Can you frigg’n read? … Do you need somebody to explain it to you?”
Can you friggin’ do research on your own?
6. The attack was presented publicly at the Black Hat conference. The duo decided to do this after Apple gave them no response back in July, when they provided Apple with information on the security flaw. The goal is to bring attention to the flaw (which they are clearly getting).
http://mashable.com/2009/07/30/iphone-hack/
Yeah it was only 24 hours after it was demo’d. But they knew about it for a couple of weeks at least.
Do you need someone to spoonfeed all your knowledge to you?
@ John
A hacker would need to know your specific phone number in order to send you the SMS attack. Out of the 20 plus million iPhones in the wild I really don’t think you should be in much danger. You can sleep well.
@ mossman
First of all your link was a reference to the old iPhone OS, as the authors of the paper stated, “Our iPhne OS targets were running OS version 2.2 and 2.2.1…,” not the 3.X.
More important, until these guys showed Apple how they did it, Apple couldn’t fix ‘it’. Nobody could, as nobody else could replicate the problem.
http://www.wired.com/gadgetlab/2009/07/apple-patch-sms/
It may be true that Apple was told weeks ago about a security flaw that could potentially “take over every iPhone in the world”; but if that claim was true, how come there hasn’t been a single documented iPhone security breach since that dire pronoucement? Some people just love to yell “Fire!” And some people run for the exits without ever stopping to wonder whether’s there’s really a fire or not. Whatever.
/* MacDailyNews Take: Boom, that was even quicker than expected! */
Apple was alerted 6 weeks ago about this- I’m glad it’s fixed but ‘quick’ might not be the word we’re looking for here.
@DanielM
1) The page I linked to contained a document dated June 25, 2009, just a week after v3 became available. Since they were preparing the abstract and documenting vulnerabilities in other smartphones too, they didn’t have time to re-do their tests against v3.0
2) In any case, it’s irrelevant they only tested against v2. Not even MDN claims that v3 is immune to the SMS hack, and the update is specifically rolled into v3.0.1. If v3 were immune, either Apple would’ve released a v2 update, or recommended everyone update to 3.0.0 immediately.
3) Charles Miller, who discovered the flaw, claims to have contacted Apple about this over a month ago: http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html
White/Gray hat hackers vary in their approach to notifying companies of their findings, but considering the source, it’s unlikely Miller simply told Apple “iPhone can be exploited by an SMS, fix it or else” and NOT provide technical details (privately to Apple) to reproduce it.
Now, I’m not saying Apple was slow to release this patch. What I *am* saying is, they weren’t as *fast* as you think. You simply do not *start* developing, and test, and roll out a 300 MB OS update, which affects millions of users across three generations of hardware, in less than 24 hours. Apple doesn’t get that big and successful if they don’t follow certain processes to the letter.
Based only on Apple’s press statement (which was factually true), you jumped down John’s throat merely for saying Apple knew about this weeks ago. Though being snarky to you in kind perhaps was uncalled for, I’ve provided ample evidence to suggest Apple’s known about this and has been working on the fix for much longer than 24 hours.
…how come there hasn’t been a single documented iPhone security breach since that dire pronoucement?
Because the security pros who uncovered it aren’t totally irresponsible?
I believe they did demonstrate an attack this week, in which case there has been such a breach.
Did it also break Pre syncing again?
I’ll ha e to wait for an unlock.
Sorry, I was thinking of iTunes – I’m still a bit hungover
I swore I read somewhere that the demo at BH security con failed. They couldn’t get the exploit to work but promised follow up.
@ John
Have you done any developing at all?
Apple takes security very very seriously!
When they or anybody else gets notification, particularly for guys like these that are well known in the industry, the first thing one does is try to replicate it. Until Apple was actually shown the process which nobody was able to replicate, including Apple, and as such it wasn’t on the radar, they couldn’t fix it.
It’s like going to your doctor and he wants to take a medication for a disease that nobody has yet gotten. Just what drug would he presecribe?
As shown, within less than 24 hours from the demo, OS was fixed. Nobody breached the OS in the meantime.
For anybody to suggest that Apple didn’t do anything because they were embarrassed is fucking ludicrous.
For you information, Apple is deluged by thousand of guys attempting to hack Mac’s OS security. They have been doing it for years. There are contests formally planned yearly with significant prizes for anybody that is successful. Bottom line, nobody yet has been able to compromise the OS, i.e., with a malicious virus. That in itself speaks volumes for Apple’s concerns.
This fucking conspiracy theory that continually floats about from the same a-holes that troll here is getting downright boring.
This is much like those so-called experts that professed that there were weapons of mass destruction which ended up killing a lot of American men and women unnecessarily. Experts that use malicious rumors as the source of reference.
I think Apple had a reason to deliver the update so late. Here’s my take:
Apple could’ve garnered serious bad press if, by delivering the update earlier, give Charlie Miller enough time to work around their patch and show that in the conference.
Apple would’ve found themselves with a big community of talented, driven hackers in possession of a serious vulnerability and with no time to respond…
** HOME BUTTON PROBLEM **
After 3.0.1 install my home button chokes. 50% of the time my screen does not activate on the first push, taking 2 to 3 attempts if the phone has been unused for a short while. any one else experience this problem after this update?
@ John re
“3) Charles Miller, who discovered the flaw, claims to have contacted Apple about this over a month ago: http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html“
Except it was version 2.
I guess Wired has better interviewers or the listen:
“Apple moved even faster than necessary to fix the problem: Miller told Wired.com it took him two and a half weeks to discover the exploit. A hacker “really smart and lucky” could take a few days to replicate the attack, but that’s unlikely because “not many people in the whole world” have these skills, he said.” and this is from the expert that discovered the problem.
http://www.wired.com/gadgetlab/2009/07/apple-patch-sms
O delicious irony!
ooo, you certainly set me straight!
——
I honestly don’t care. I know that nothing I say will affect your thinking. I only write what I do so that those reading it may see that there is another (more accurate) side to the argument.
——
Moron.
——
Thanks. Your intelect and power over me is stunning. I really appreciate the way you have gracefully shown me the error in my ways.
——
If this hits the wild, you guys will be passing it back and forth amongst yourselves like drooling idiots.
——
Honestly, this is more FUD than anything. First of all, the attacker would have to know my phone number. Secondly, even if they did, the worst that could happen is getting kicked off the network. The solution? Turn off SMS messaging. Very simple.
——
“I really shouldn’t be effing these crack whores bareback, but there’s a really great ribbed condom coming out in a week or three- I’ll use protection then!”
——
Are you suggesting that I might catch a virus from using a jailbroken iPhone? HAHAHAHAHaA!!!!! The absolute worst that can happen is installing a trojan, which would be hard, because the reputable repositories screen everything they host. Secondly, anything that is done to an iPhone, can be undone with a simple restore. Again, it’s easy as peach pie.
——
Like I said, hilarious. Great theatre. Biblical, really- reaping what you sow- I almost hope it does happens.
——
Yeah… I’ll be waiting for that. I’ll also be waiting for that Mac OS X virus that is due to hit any day now. I’m unprotected there as well.
DanielM:
This fucking conspiracy theory that continually floats about from the same a-holes that troll here is getting downright boring.
It’s amusing to me that you chose to censor “a-holes,” but not “fucking.” 😀
@ TheConfuzed1
It wouldn’t be anatomically correct; literally speaking.