Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apple fixes 10 iPhone bugs

In the its widest-reaching round of iPhone security updates yet, Apple released 10 fixes on Thursday, correcting vulnerabilities in the popular mobile phone's Safari browser, mail client and Bluetooth server.

Seven fixes affected Safari browser vulnerabilities. Of the remaining three Bluetooth-related updates, one fixed a "critical" flaw that could allow outsiders to eavesdrop on iPhone conversations.

Of the common vulnerability enumerations, Apple's term for patches, Andrew Storms, director of network security for nCircle, said: "The Bluetooth bug is the most critical." Apple added that an attacker could send maliciously crafted Service Discovery Protocol packets to an iPhone with Bluetooth enabled to run malicious code for intercepting the wireless conversation.

"Even though this is labeled as a remote exploit, due to the nature of Bluetooth, this is more of a walk-by attack than a drive-by attack," Storms said via email. "The hacker would have to be within arm's length to exploit it."

Apple also closed a man-in-the-middle flaw in iPhone that impacts its mail capabilities when configured to use the Secure Socket Layer protocol. In this situation, an unpatched iPhone "does not warn the user when the identity of the mail server has changed or cannot be trusted and could lead to a man-in-the-middle attack," according to Apple.

Thursday's round of Apple patches also resolved a number of problems within the iPhone's Safari browser. One of them fixed a cross-site scripting vulnerability that allows malicious websites to run unauthorized JavaScript code.

According to researchers at Lumension (formerly PatchLink), Apple's updates have the potential to cause irreparable damage to iPhones that installed so-called "unlock code.” It is most often used to allow the iPhone to connect with a cellular service other than AT&T.

Damien Hogan, security analyst at Lumension, told SCMagazineUS.com that the vulnerabilities Apple fixed on Thursday could be exploited to download the unlock code onto an unsuspecting user's iPhone. Such unauthorized modifications could not only make the phone unusable, they would also void Apple's warranty, he said.

That could be a significant issue for users of unpatched iPhones whose devices have been co-opted by an unscrupulous third party, said Paul Zimski, senior director of marketing and product strategy at Lumension. Zimski said the risk of actual damage is low, and that he didn't believe Apple had released tools that would let iPhone users determine whether their phones have been modified.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.