PDA

View Full Version : Security Updates in iPhone 1.1.1




MacRumors
Sep 28, 2007, 10:12 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Aside from the new features found in iPhone 1.1.1, CNet details (http://www.news.com/8301-10784_3-9786507-7.html?tag=cnetfd.mt) the important security fixes that accompanied the 1.1.1 upgrade.

Some may be planning on keeping their 1.0.2 iPhones for various reasons (unlocking, 3rd party software), but you should be aware of the number of vulnerabilities that are patched in the newest iPhone update.

Many of the issues affect Safari, with 7 distinct issues being addressed.

Article Link (http://www.macrumors.com/iphone/2007/09/28/security-updates-in-iphone-1-1-1/)



mapezzul
Sep 28, 2007, 10:24 PM
Thanks Arn for posting this up..... not sure how many people look at CNET for Mac info.
The security holes alone make up for this loss of 3rd party apps. Also brings to light that the iPhone safari is not as solid as the OSX version.

Hope people will realize that the patching for 1.1.1 secured the phone up for other reasons rather than just breaking unlocking and 3rd party apps. Hacking phones for exploits will be the next wave of viruses (more so than in the past and currently). I just hope Apple can keep up for my contacts and mysake.

-Map

synth3tik
Sep 28, 2007, 11:31 PM
Damn Apple, putting secuity updats in the 1.1.1 update. Making us update our phones, keepinh us down.

Demon
Sep 28, 2007, 11:32 PM
In that case, does the iPod touch face the same security problems with safari? and does the "touch" update address those vulnerabilites?
I'm still torn with whether to get the touch or wait for another hack for the iPhone. damn it, sometimes these small things make me want to move back to the US.
But... i'm quite happy to be away the "Bushlands" at the moment :)

elppa
Sep 29, 2007, 04:07 AM
In that case, does the iPod touch face the same security problems with safari? and does the "touch" update address those vulnerabilites?
I'm still torn with whether to get the touch or wait for another hack for the iPhone. damn it, sometimes these small things make me want to move back to the US.
But... i'm quite happy to be away the "Bushlands" at the moment :)

Touch will be fine, it runs the latest software.

ogee
Sep 29, 2007, 06:05 AM
So I can remain at 1.0.2 but still use my iPhone with security flaws or upgrade to 1.1.1 and have a nice looking paperweight......


I will wait for the 1.1.1 hacks first.

eddiebrock
Sep 29, 2007, 06:55 AM
Don't worry 1.0.2 users, even these security "fixes" don't justify moving to 1.1.1.



Bluetooth
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3753. By sending maliciously crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker within range may be able to trigger the issue, which may in turn lead to unexpected application termination or arbitrary code execution. Apple credits Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this vulnerabliity.


Solution: Turn off Bluetooth in "Settings"


Mail man-in-the-middle attack
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3754. When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted and could lead to a man-in-the-middle attack.


Solution: Use Yahoo Mail (which doesn't operate on SSL) or check your mail through Safari


Mail telephone link
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3755. "By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation." Apple credits Andi Baritchi of McAfee for reporting this vulnerability.


Solution: Key word here is "enticing." Anyone that is stupid enough to click a link from an unknown email deserves what they get. Delete the message. And LOL, "Oh my god, it's making me dial a phone number!!! Aaaah!" Dude, just hit end call and the world will go on.


Safari 1
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3756. "A design issue in Safari allows a Web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted Web page, an attacker may be able to obtain the URL of an unrelated page." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.


Solution: Oooh, they read my URL! I'm gonna die! So what if they know what URL I'm looking at in another window? For secure websites (banks, etc) knowing a URL is not enough because when you go to another computer and even just copy-paste that URL in, it will always ask you for some sort of authentication. And don't click on a link that could be from a malicious source.


Safari 2
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3757. "Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation." Apple credits Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.


Solution: Again, not sure why you would click a random phone number while browsing the web. Write the number down and use good old keypad!


Safari 3
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3758. "A cross-site scripting vulnerability exists in Safari that allows malicious Web sites to set JavaScript window properties of Web sites served from a different domain. By enticing a user to visit a maliciously crafted Web site, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other Web sites." Apple credits Michal Zalewski of Google for reporting this issue.


Solution: I'm not really sure how this applies if JavaScript is disabled in iPhone Safari. Isn't that the case here? If JavaScript is enabled, again it's the same as if you're browsing a normal computer - DON'T VISIT THOSE "ENTICING" WEBSITES!!! DUH!


Safari 4
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3759. "Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not."


Solution: Again, I could have sworn JavaScript didn't work on the iPhone? But even if it does, now we know the fix - just restart the phone when you change your Safari settings. Not too hard. And if you CAN disable or enable JavaScript, just keep it disabled! I heard JavaScript is pretty much useless on teh iPhone anyway.


Safari 5
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3760. "A cross-site scripting issue in Safari allows a maliciously crafted Web site to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.


Solution: Again, "enticing." Just keep JavaScript disabled when you want to mess around with "malciously crafted web pages"


Safari 6
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3761. "A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of another site."


Solution: Yet AGAIN, "enticing." Disable JavaScript when you want to be stupid and visit these malicious sites!


Safari 7
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-4671. "An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of HTTPS Web pages in that domain." Apple credits Keigo Yamazaki of Little Earth Corporation for reporting this issue.


Solution: Why would you be visiting malicious sites in one window and having a secure HTTPS site open in another! The easy way out is to just have one window open when you are browsing an https site. And again, if you are suspicious about a site, close everything else! Sheesh!

So basically, none of these updates justify 1.0.2 users whose phones are unlocked to upgrade. They're all stuff that is useful to know for sure, but doesn't need the upgrade - they can be prevented by mere common sense. Don't be "enticed" to visit weird, potentially malicious websites on your iPhone - something I don't even do on my regular computer.

Or better yet, don't think of your iPhone as a replacement for your computer! If you like to "browse malicious websites" and click on random links that you have no idea about, maybe the iPhone isn't for you :)

nismo
Sep 29, 2007, 08:57 AM
this guy speaks the truth

megfilmworks
Sep 29, 2007, 09:06 AM
I must be missing something, I should not update my iphone and jump through all these hoops just so I can have a few silly 3rd party apps or another rip off carrier?

eddiebrock
Sep 29, 2007, 09:10 AM
^^Since I've already said enough in this thread...I'll leave it to the folks at Wired Magazine to sum it up best:

http://blog.wired.com/photos/uncategorized/2007/09/28/apple_features.jpg

Yeah, all those seem pretty "silly" to me too. And yeah, all the other carriers just "rip off" AT&T!

Mark Scheuern
Sep 29, 2007, 09:35 AM
Solution: Turn off Bluetooth in "Settings"


That doesn't help much if you actually want to use Bluetooth.


Solution: Oooh, they read my URL! I'm gonna die! So what if they know what URL I'm looking at in another window? For secure websites (banks, etc) knowing a URL is not enough because when you go to another computer and even just copy-paste that URL in, it will always ask you for some sort of authentication. And don't click on a link that could be from a malicious source.


A URL using the GET request can contain a query string which certainly can reveal sensitive information.


Solution: Again, not sure why you would click a random phone number while browsing the web. Write the number down and use good old keypad!


The problem is that it's not a "random" phone number you're clicking on, it could be one familiar to you and the one actually dialed could be a different one.


Solution: Again, I could have sworn JavaScript didn't work on the iPhone? But even if it does, now we know the fix - just restart the phone when you change your Safari settings. Not too hard. And if you CAN disable or enable JavaScript, just keep it disabled! I heard JavaScript is pretty much useless on teh iPhone anyway.


JavaScript works fine with Safari on the iPhone. I can see where thinking you've turned off JavaScript and it still being on could be a problem. Why would a user have the expectation that they need to restart before the change takes place if the menus say otherwise?


Solution: Why would you be visiting malicious sites in one window and having a secure HTTPS site open in another! The easy way out is to just have one window open when you are browsing an https site. And again, if you are suspicious about a site, close everything else! Sheesh!


Why wouldn't you? It's not as if malicious sites greet you with "Hi, I'm a malicious web site!"


So basically, none of these updates justify 1.0.2 users whose phones are unlocked to upgrade. They're all stuff that is useful to know for sure, but doesn't need the upgrade - they can be prevented by mere common sense. Don't be "enticed" to visit weird, potentially malicious websites on your iPhone - something I don't even do on my regular computer.


I disagree. Some of these look like significant security problems to me and expecting users to get around them by avoiding things they may actually need like Bluetooth, JavaScript, SSL-encryped email, etc. is unreasonable, IMO. Not using the functionality built into the phone or jumping through hoops to get around security problems is not something most people would want to do.


Or better yet, don't think of your iPhone as a replacement for your computer! If you like to "browse malicious websites" and click on random links that you have no idea about, maybe the iPhone isn't for you :)

Or update it to 1.1.1. Or never turn it on. The update option seems most reasonable to me.

megfilmworks
Sep 29, 2007, 09:39 AM
The list of hacked apps doesn't interest me at all. My iPhone is, to me, an iPod first and foremost, so I want the wifi iTunes store. Why not just use a Palm or BBE product if you want a lot of silly apps? And as far as carriers go, there are no large differences, they are ALL rip offs.

Demon
Sep 29, 2007, 09:48 AM
Yeah, i agree about the price plans in the US.
I pay about 7 USD per month for 2G service, includes voicemail, SMS, caller ID, etc etc. Basic stuff.
Meanwhile the basic price for iPhone is... what? 60 USD? :confused:

cazlar
Sep 29, 2007, 10:39 AM
I must be missing something, I should not update my iphone and jump through all these hoops just so I can have a few silly 3rd party apps or another rip off carrier?

Ah, but while the 3rd party apps may not entice you at the moment, who's to say there won't be a "killer app" released next week? For example, someone demonstrated a proof-of-concept VoIP app recently - once that is polished up it could be huge.

And in regards to carriers, you are right in that all carriers seem to try to rip you off (more so in the US I've found), but many people have different uses for a phone. Personally, I don't use it enough to ever justify $60/month, and would love a PAYG option. Unfortunately, AT&T won't allow PAYG on iPhone, instead limiting it to their other GoPhone plan (which is basically the same price as the contract plan, minus the contract, with less minutes/txt/etc). My solution was to buy the phone, unlock and throw in my t-mobile PAYG SIM, and be up and running 30 minutes later. I lose EDGE and Visual voicemail, but that's fine by me.

In addition, it's surprising, but not everyone lives in the US. Anyone living (or regularly travelling) overseas needs to unlock their phone. While I currently live in the States, I won't forever, and also return home to Australia for holidays etc. There's no way I will pay roaming charges there when all I need to do is go to plug in a local SIM (which I can buy for $2 at the grocery store) into the unlocked phone. That AT&T's position is to NEVER unlock the phone (even at the end of the 2yr contract) made it intolerable to me. When I move back to Australia permanently, what would I do with my expensive paperweight? Again the solution was to unlock it myself.

So yes, for me at least, a "hacked" and unlocked phone is the ONLY way I would ever be able to buy an iPhone. And I'm very happy with mine at the moment. I'm currently less happy with the way Apple is clamping down, but that's a different rant.

To get back on-topic though, the forking of the iPhone population into two groups is terrible. Even though you can argue that the current security fixes are not huge, future ones may be, but the "hacker" population sticking happily on 1.0.2 won't be able to use these. I hope the dev team can find a way to let us all update safely (now and in the future).

jt2ga65
Sep 29, 2007, 11:08 AM
The people that don't want to hack their iPhones and are happy with the Apps that Apple has given to the users should update to 1.1.1 and ****. Their input adds no value to the people that hack their phone for one reason or another.

It is good information to know what security patches are included in the 1.1.1 update. This way people can judge if there is really a lot of risk in not updating. Looking at the list, I can see only one that COULD affect me, but the "man in the middle" attack is an EXTREMELY rare one. In fact, I have never seen it, or even heard of a case where it has happened, and I work in security for a large telco. Yes, we know that it COULD happen, but just never seen it.

The other ones are just common sense. I don't read email from people I don't know without first screening in a way that won't expose my computer to the vulnerabilities. Most of the time email from those people I don't know are caught in my web-based spam filters anyways. And I don't go clicking on every link that I come across.

-jt2

megfilmworks
Sep 29, 2007, 11:20 AM
It is good information to know what security patches are included in the 1.1.1 update. This way people can judge if there is really a lot of risk in not updating. Looking at the list, I can see only one that COULD affect me, but the "man in the middle" attack is an EXTREMELY rare one. In fact, I have never seen it, or even heard of a case where it has happened, and I work in security for a large telco. Yes, we know that it COULD happen, but just never seen it.

The other ones are just common sense. I don't read email from people I don't know without first screening in a way that won't expose my computer to the vulnerabilities. Most of the time email from those people I don't know are caught in my web-based spam filters anyways. And I don't go clicking on every link that I come across.

-jt2

Is the hacker community as open as Apple is when it comes to what the software they provide actually does? Like IMEI changes?? I wish they would publish specifics so people can make an educated guess as whether to upload or not. I sure don't want to use unauthorized software that has little or no documentation. At this point i'll trust Apple over the dev team.

Chip NoVaMac
Sep 29, 2007, 11:24 AM
The list of hacked apps doesn't interest me at all. My iPhone is, to me, an iPod first and foremost, so I want the wifi iTunes store. Why not just use a Palm or BBE product if you want a lot of silly apps? And as far as carriers go, there are no large differences, they are ALL rip offs.


I do like some of the apps listed, but for me some of the changes in 1.1.1 will be worth waiting for the hackers to catch up with this update:

- Louder speakerphone and receiver volume
- Home Button double-click shortcut to phone favorites or music controls
- Space bar double-tap shortcut to intelligently insert period and space
- Mail attachments are viewable in portrait and landscape
- Preference to turn off EDGE/GPRS when roaming internationally

For many the iPhone is not first an iPod device. Apple has teased us with a great device that puts Palm and BB devices to shame. Some of the apps listed in the graphic from Wired are ones that the iPhone is well suited for; and desired by many I figure:

- eBook reader
- Instant Messaging
- Global Positioning

At least here in the US, we only have the choice of AT&T and T-Mobile for our iPhones. Of the two, AT&T is the strongest IMO.

In the end I look at the iPhone and iPod Touch being test beds for something bigger from Apple next year. Given the rumors of Apple working on a PDA device.

Using the current lineup and pricing of the iPhone and Touch, my guess for next year is:

- iPod Touch 8gb - $299
- iPhone 8gb - $399
- "iOrganizer" 8gb - $399
- iPhone2 (with "iOrganizer" built-in) 16gb -$599

Given that Apple is using a pocket sized version of OS X, it is possible that they may offer some of the apps from the rumored PDA as down loads, like they do with games. It is all about the revenue stream for Apple, and you can't fault them for that.

megfilmworks
Sep 29, 2007, 11:37 AM
I agree Chip. Also, I think the posters who resent the revenue stream don't understand business. If Apple was to ignore the finances and just become a do gooder for hackers then we would have no Apple and there would not be an iPhone to debate. Remember the original Apple? Lennon wanted a record label that was set up for the artist with no concerns over the financial impact of his "business" decisions. It didn't work for the Beatles and it will not work for any business that is not a charity.

Chip NoVaMac
Sep 29, 2007, 11:42 AM
In addition, it's surprising, but not everyone lives in the US. Anyone living (or regularly travelling) overseas needs to unlock their phone. While I currently live in the States, I won't forever, and also return home to Australia for holidays etc. There's no way I will pay roaming charges there when all I need to do is go to plug in a local SIM (which I can buy for $2 at the grocery store) into the unlocked phone. That AT&T's position is to NEVER unlock the phone (even at the end of the 2yr contract) made it intolerable to me. When I move back to Australia permanently, what would I do with my expensive paperweight? Again the solution was to unlock it myself.

I know that I would love the option to buy a SIM for an overseas visit. But given the heavy hand that Apple has used with carriers we might never see that.

To get back on-topic though, the forking of the iPhone population into two groups is terrible. Even though you can argue that the current security fixes are not huge, future ones may be, but the "hacker" population sticking happily on 1.0.2 won't be able to use these. I hope the dev team can find a way to let us all update safely (now and in the future).


Won't happen IMO, Apple wants to close the iPhone to other apps down for whatever reason.

Virgil-TB2
Sep 29, 2007, 11:46 AM
... JavaScript, just keep it disabled! ...I was *kinda* with you until this part. JavaScript is quite necessary for browsing the web. I actually hate JavaScript and have tried to turn it off many times but I always have to re-enable it at some point as it's just not practical to browse without it. Might as well go back to Lynx :)

If someone has a bluetooth headset on their iPhone it would also be difficult to turn off Bluetooth.

So your "solution" to the security problems amounts to:

- "careful what you click on" (totally do-able)
- "turn off Bluetooth and JavaScript" (impractical at best)

:confused:

sananda
Sep 29, 2007, 11:52 AM
Remember the original Apple? Lennon wanted a record label that was set up for the artist with no concerns over the financial impact of his "business" decisions. It didn't work for the Beatles and it will not work for any business that is not a charity.

apple corps was set up at the suggestion of accountants as a vehicle to avoid the then punitive tax system in the UK. :)

megfilmworks
Sep 29, 2007, 12:01 PM
apple corps was set up at the suggestion of accountants as a vehicle to avoid the then punitive tax system in the UK. :)
Yes, but when it opened its doors Lennon took over the direction and the result was disaster. Any book on the Beatles that covers this era will tell you the story. It was like a sitcom over there. And don't get me wrong, I love Lennon, but they could afford to have a tax shelter and lose big money. Apple is a company in business to make money.

jt2ga65
Sep 29, 2007, 12:12 PM
Is the hacker community as open as Apple is when it comes to what the software they provide actually does? Like IMEI changes?? I wish they would publish specifics so people can make an educated guess as whether to upload or not. I sure don't want to use unauthorized software that has little or no documentation. At this point i'll trust Apple over the dev team.
Actually, most free software developers are VERY open with their software, including VERY detailed changelog descriptions. Ultimately, YOU, the user, are the one that has the decide to authorize what you install on your computer. To me, the iPhone is just another computing device, this one has a phone attached to it.

I agree Chip. Also, I think the posters who resent the revenue stream don't understand business.
I don't think that anyone is resenting Apple for trying to make money. That's what corporations do, and that's what they need to do. Without that, not only would we not have a iPhone, but we wouldn't have any money to BUY the iPhone because we wouldn't have jobs with which to make the money. What we DO resent is Apple's stand that they know better about what we want to do with our computers than the consumers. This may be true in many cases, but not for the rest of us left out here that can still think for themselves. For us, the only intelligent thing to do is look at ALL the options to see what works best for us. And for many of us, that is to use free software.

Don't get me wrong. I think Apple has developed a very powerful product. I just think that they have crippled it for no good reason. I have no problem paying for products I like and use, and will continue to do so, however I'd consider myself to be stupid not to look at all the options, and support the best ones, either financially, or however they wish to be supported.

-jt2

aristobrat
Sep 29, 2007, 12:23 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Aside from the new features found in iPhone 1.1.1, CNet details (http://www.news.com/8301-10784_3-9786507-7.html?tag=cnetfd.mt) the important security fixes that accompanied the 1.1.1 upgrade.
How did CNet figure out the actual details of the security updates? Does Apple release those anywhere, or does CNet likely have an inside source?

sananda
Sep 29, 2007, 12:29 PM
Yes, but when it opened its doors Lennon took over the direction and the result was disaster. Any book on the Beatles that covers this era will tell you the story. It was like a sitcom over there. And don't get me wrong, I love Lennon, but they could afford to have a tax shelter and lose big money. Apple is a company in business to make money.


yeah, i know. i remember magic alex and his lunatic schemes!!

iomar
Sep 29, 2007, 01:30 PM
I understand all the reasonings but one thing I know I loved my iPhone before the update. I miss all my applications. If any one khnows a way to downgrade my phone back to vesion 1.0.2 I will glady restore my phone to back the the way it was. I don't like the web 2.0 applications I hate when I can't put a short cut to the main window. Anyway someone please figure a way to get the instller app working again on my phone or show me a way to restore my phone in version 1.0.2. Thanks!!

megfilmworks
Sep 29, 2007, 01:43 PM
yeah, i know. i remember magic alex and his lunatic schemes!!
LOL and John, God Bless him, was not far behind.

unconcious
Sep 29, 2007, 02:51 PM
The list of hacked apps doesn't interest me at all. My iPhone is, to me, an iPod first and foremost, so I want the wifi iTunes store. Why not just use a Palm or BBE product if you want a lot of silly apps? And as far as carriers go, there are no large differences, they are ALL rip offs.

you got the words right out of my mouth. :D :apple:

brewcitywi
Sep 29, 2007, 03:43 PM
I'm happy with the 1.1.1 upgrade. I sometimes get a bit confused regarding comments that are so negative about any software change that restricts iPhone experimentation.

Is there actually a complaint that the itunes wifi music store doesn't work without wifi? Do you want your music downloads to take 9 hours and fail 5 times along the way? Come on now.

Do I want my iPhone to have some improvements? Sure! I'd love a better word processing feature that sync's. I think it would be cool if ichat coordinated and you could see the person you're talking to. Copy/Paste would be nice. Allowing e-mail to work in horizontal view for reading and responding would help at times.

But, i don't need it to fry an egg, and some of these suggested improvements are a little ahead of their time, and if you want to use you iPhone for all kinds of experiments, the updates will always set you back a bit.