Latest upgrade to iPhone includes 46 security fixes
The iPhone 3G S
Along with a host of new features, version 3.0 comes fitted with patches for 46 security vulnerabilities. The upgrade fixes everything from heap buffer overflows, multiple memory corruption issues in the handling of PDF files to cross-site scripting flaws, according to Apple.
For example, one patch updates the iPhone mail application to enable more user discretion in the loading of remote images within HTML messages. The app was upgraded so that an application cannot cause an alert to appear that could be enlisted to initiate a phone call without the user's knowledge.
Another patch fixes what could have led to the disclosure of credentials or application data when users of Microsoft's Exchange server accepted an untrusted certificate.
In the commercial space, the latest iPhone version contains a number of security advancements for businesses considering deployment, including hardware encryption and remote-wipe capabilities, experts told SCMagazineUS.com.
"The iPhone is a very powerful enterprise tool," said Mark Rotman, president of MessageWare, a Toronto-based vendor that offers solutions to enhance and secure Outlook Web Access, a Microsoft webmail service. "This is a very impressive device...and a great enterprise-ready entry."
But not all the experts are convinced that the latest iPhone is ready for the business environment.
"Remote wipe was there in 2.0 when managed from the Exchange server," Ken Dulaney, vice president and distinguished analyst at Gartner, told SCMagazineUS.com on Thursday. "The new individual remote wipe is not useful to enterprise. They want things that are policy enforced. The fact is that all 3G S devices are encrypted, but what about the old ones? And Apple hasn't disclosed the details about encryption so that it cannot be determined whether it's robust enough for enterprises."
The iPhone cannot move into all enterprise applications, added Dulaney. "Our research today says it's good for PIM, email, browser and telephony. But when you put code on the device, the security is insufficient to conclude that enterprises can deploy applications without concern about security. The reason for this is that they don't permit background processing. Without background processing you cannot run security products that must remain always on, but separate from any existing process."