Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Apple releases iPhone, iPod Touch update

Updated, Nov. 13 at 4:20 p.m EST

Apple on Monday pushed out another security update for the iPhone and iPod Touch to sew up four vulnerabilities that could permit attackers to drop malicious code on the popular devices.

But the patch, while closing critical security holes all relating to the way in which the devices process TIFF images, will have the most impact on developers who have been installing third-party software on the iPhone, Paul Henry, vice president of technology evangelism at Secure Computing, told today.

Hackers had been exploiting the vulnerability to install software known as "jailbreak," which lets them gain root control of the phone to add non-proprietary applications, Henry said. Now, these same researchers will have to revert to the original software that remains vulnerable to the exploit.

"You 'backrev' the software to the previous version and you're back in business," he said.

According to Apple, the vulnerability lies in ImageIO, a framework that permits Mac OS X applications to read and write most image file formats, which is open to multiple buffer overflows.

"By enticing a user to view a maliciously crafted TIFF image, an attacker may cause an unexpected application termination or arbitrary code execution," Apple said in an advisory.

Users can upgrade to the iPhone and iPod Touch versions 1.1.2 through iTunes only; it will not be available on the Software Update application or through the Apple Downloads website.

This is the third iPhone version update since the hot gadget was released at the start of the summer. Since then, many hacker groups have emerged in a quest to unlock the device.

Apple Chief Executive Officer Steve Jobs announced last month that third-party applications designed for the iPhone will be made available to consumers in February.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.