Big Apple Patch Includes 11th Hour iPhone Fix

Apple released three security updates Tuesday that correct a slew of bugs, including a hole discovered last week in the one-month-old iPhone.

This is Apple's seventh security update this year. The bundled patches address approximately 45 vulnerabilities in the Mac OS X operating system, the Safari browser for Windows beta, and the iPhone.

The update fixes a lot of issues -- some critical, some not so critical -- and all Mac users should make sure they install it, Rob Ayoub, an analyst at Frost & Sullivan, told MacNewsWorld.

"It's a cumulative update," he said, "so anyone running an OS X platform really should get it."

Phoning Home

The iPhone 1.0.1 update came in just under the wire and beat the Aug. 2 deadline set by the Independent Security Evaluators (ISE), which found the vulnerability. Researchers Charles Miller, Jake Honoroff and Joshua Mason set the clock ticking when they notified Apple of the flaw and gave the company two weeks to fix the problem before a planned presentation at the annual Black Hat conference in Las Vegas.

The patch corrects two flaws in the Safari browser (one that could lead to arbitrary code execution), two more in Webkit, and one in Webcore -- a Webkit component that handles HTML (Hypertext Markup Language) rendering on Macs. The bugs deal with the phone's browsing functionality; if left unpatched, they could make the device vulnerable to cross-site scripting and address-spoofing.

The two more serious flaws found in Safari and Webkit could give a hacker the ability to execute attack code on unpatched iPhones. Users who visit a maliciously crafted Web page could open themselves to an exploit through which a criminal could gain access to SMS (short message service) messages, the address book, call history and voice mail data.

Like the iPod, Apple has designed the iPhone to receive updates via iTunes; users looking for the security update in their Software Update application or on Apple's Support Downloads site will not find it there.

To install the patch, iPhone users will need an Internet connection and the latest version of iTunes, Apple said. When the iPhone is connected to the computer, iTunes will give the user the option to install the update. Those who select "don't install" will have the option to get the update the next time the phone is connected, but Apple cautioned iPhone users not to wait.

"We recommend applying the update immediately if possible," Apple urged.

The iPhone was out for just one day when a vulnerability in its browser was reported, Rob O'Brien, a security analyst at Sophos, told MacNewsWorld.

"There was also speculation that its insistence on connecting to available WiFi networks could pose a risk," he said.

"Apple has headed off any criticism of its previous security practices by concentrating on 'what Apple users want,'" O'Brien added, noting that "Apple users want to be safe and avoid the pitfalls of operating system vulnerabilities."

An Abundance of Patches

This update marks the seventh time this year Apple released patches for its operating system. While no OS is impervious to bugs or exploits designed to capitalize on flaws in the code, Apple has increased the rate of its updates in part to change the perception that it has been lax on the security front.

"The iPhone took ... a lot of resources internally for Apple to develop, test and put out," Ayoub explained, "and this patch may be indicative -- now that the iPhone is out -- that things are getting a little bit back to normal."

As Apple continues to gain in popularity and add more applications, the company will have to focus more on security.

"Apple has made a very public commitment to increase security, and this is a result of that," Ayoub remarked.

"Vulnerabilities exist in most operating system software," O'Brien pointed out. "It is the rate at which they are detected that determines the rate at which 'fixes' are made. As OS X becomes more ubiquitous and Apple applications are widely adopted, the potential for exploits increases."

The iPhone is an excellent example of convergent media. Is it a computer with a phone, or a phone with a computer? It's both -- and as the company has successfully demonstrated in the past, "Apple knows what its users want," said O'Brien.

"What users want is to maintain existing levels of confidence in the stability and security of the device, whether it is a phone or a computer," he emphasized. "What Apple doesn't want is for someone to have the opportunity to develop an exploit for a known vulnerability in its operating system."