iPhone critical patch among dozens released by Apple

Apple has patched the first-ever vulnerabilities in its popular iPhone, including a critical flaw that could allow attackers to steal sensitive information, nearly one month after the year's hottest gadget went on sale.

The timing was perfect for the California-based computing giant as researcher Charlie Miller from the Independent Security Evaluators – which discovered the critical bug – is scheduled to release details Thursday at the Black Hat hacker conference in Las Vegas.

In all, five fixes for the iPhone were issued, but the one garnering all the attention was Miller and company’s discovery last week of a buffer overflow vulnerability in the device that could lead to user infection if they view a specially crafted malicious website on the Safari browser.

As part of the attack, the cyberthieves, who would attain administrative privileges under the hack, pilfer personal data, which is then sent to a server the attacker operates. The stolen iPhone information could include stored contacts, text messages or passwords, but depending on the type of malware dropped, it could swindle banking information, too, researchers said.

"With the iPhone or any [mobile] devices that run off-the-shelf operating systems and web browsers, they run the risk of all the vulnerabilities that you see in Safari or Mozilla or Internet Explorer," Amol Sarwate, manager of vulnerability research at Qualys, told SCMagazine.com today.

iPhone patches will be delivered through the iTunes application, and Apple encourages users to immediately update. Sarwate said several iPhone users told him that they were "not aware that these patches had been released."

On Tuesday Apple also released its seventh security update of the year, offering more than 40 fixes for an array of Mac OS X issues. Included were patches for nine vulnerabilities in the scripting language, PHP, and three holes in Samba, a freeware program for sharing files between operating systems.

One of the Samba flaws could have permitted the remote execution of arbitrary code.

"It was a matter of some concern because it was unpatched [for some time]," Ben Greenbaum, senior research manager at Symantec Security Response, told SCMagazine.com today. "It could have been a fairly effective vector for worm propagation."

Apple additionally dropped four fixes for Safari beta update 3.0.3.

The large number of fixes in today's release shows Apple is intent on "moving toward a lump update model," Greenbaum said.

This should make it easier for administrators and also underscores Apple's effort in fixing reported flaws, he said.

The four other iPhone patches solved a website spoofing flaw and a frame-set rendering hole in WebKit and two potential cross-site scripting vulnerabilities — one in Safari, the other in WebCore framework. Greenbaum said he expects Apple to continue plugging holes in the iPhone because of the platform's popularity.

Sign up to our newsletters