Don't worry 1.0.2 users, even these security "fixes" don't justify moving to 1.1.1.
Bluetooth
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3753. By sending maliciously crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker within range may be able to trigger the issue, which may in turn lead to unexpected application termination or arbitrary code execution. Apple credits Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this vulnerabliity.
Solution: Turn off Bluetooth in "Settings"
Mail man-in-the-middle attack
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3754. When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted and could lead to a man-in-the-middle attack.
Solution: Use Yahoo Mail (which doesn't operate on SSL) or check your mail through Safari
Mail telephone link
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3755. "By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation." Apple credits Andi Baritchi of McAfee for reporting this vulnerability.
Solution: Key word here is "enticing." Anyone that is stupid enough to click a link from an unknown email deserves what they get. Delete the message. And LOL, "Oh my god, it's making me dial a phone number!!! Aaaah!" Dude, just hit end call and the world will go on.
Safari 1
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3756. "A design issue in Safari allows a Web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted Web page, an attacker may be able to obtain the URL of an unrelated page." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.
Solution: Oooh, they read my URL! I'm gonna die! So what if they know what URL I'm looking at in another window? For secure websites (banks, etc) knowing a URL is not enough because when you go to another computer and even just copy-paste that URL in, it will always ask you for some sort of authentication. And don't click on a link that could be from a malicious source.
Safari 2
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3757. "Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation." Apple credits Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.
Solution: Again, not sure why you would click a random phone number while browsing the web. Write the number down and use good old keypad!
Safari 3
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3758. "A cross-site scripting vulnerability exists in Safari that allows malicious Web sites to set JavaScript window properties of Web sites served from a different domain. By enticing a user to visit a maliciously crafted Web site, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other Web sites." Apple credits Michal Zalewski of Google for reporting this issue.
Solution: I'm not really sure how this applies if JavaScript is disabled in iPhone Safari. Isn't that the case here? If JavaScript is enabled, again it's the same as if you're browsing a normal computer - DON'T VISIT THOSE "ENTICING" WEBSITES!!! DUH!
Safari 4
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3759. "Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not."
Solution: Again, I could have sworn JavaScript didn't work on the iPhone? But even if it does, now we know the fix - just restart the phone when you change your Safari settings. Not too hard. And if you CAN disable or enable JavaScript, just keep it disabled! I heard JavaScript is pretty much useless on teh iPhone anyway.
Safari 5
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3760. "A cross-site scripting issue in Safari allows a maliciously crafted Web site to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted Web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site." Apple credits Michal Zalewski of Google and Secunia Research for reporting this issue.
Solution: Again, "enticing." Just keep JavaScript disabled when you want to mess around with "malciously crafted web pages"
Safari 6
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-3761. "A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of another site."
Solution: Yet AGAIN, "enticing." Disable JavaScript when you want to be stupid and visit these malicious sites!
Safari 7
This patch affects users of Apple iPhone and addresses the vulnerability in CVE-2007-4671. "An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted Web page, an attacker may cause the execution of JavaScript in the context of HTTPS Web pages in that domain." Apple credits Keigo Yamazaki of Little Earth Corporation for reporting this issue.
Solution: Why would you be visiting malicious sites in one window and having a secure HTTPS site open in another! The easy way out is to just have one window open when you are browsing an https site. And again, if you are suspicious about a site, close everything else! Sheesh!
So basically, none of these updates justify 1.0.2 users whose phones are unlocked to upgrade. They're all stuff that is useful to know for sure, but doesn't need the upgrade - they can be prevented by mere common sense. Don't be "enticed" to visit weird, potentially malicious websites on your iPhone - something I don't even do on my regular computer.
Or better yet, don't think of your iPhone as a replacement for your computer! If you like to "browse malicious websites" and click on random links that you have no idea about, maybe the iPhone isn't for you