Apple on Wednesday issued updates for the iPhone
touch and QuickTime
video player to address numerous security vulnerabilities, some of which could enable an attacker to execute arbitrary code.
The newest versions – iPhone OS 3.1, iPhone OS 3.1.1 for iPod touch, and QuickTime 7.6.4 – fix 10 security issues in the iPod touch and iPhone and four vulnerabilities in Windows and Mac versions of QuickTime. But, one added security feature for the iPhone and iPod touch, an anti-phishing mechanism touted to warn users of fraudulent websites, does not work properly, according to Mac security firm Intego.
The QuickTime update addresses three heap buffer overflow
issues and a memory corruption bug, all of which could result in unexpected application termination or arbitrary code execution by viewing a maliciously crafted MPEG-4 video file, FlashPix file, or H.264 movie, according to Apple release notes.
In the iPhone and iPod touch, a heap buffer overflow vulnerability exists in CoreAudio, which could cause applications to suddenly quit or permit arbitrary code to be executed if a user opens a maliciously crafted AAC or MP3 file, according to release notes
. Another iPhone and iPod touch heap buffer overflow issue present in Recovery Mode could enable someone with physical access to bypass the passcode feature and use a locked device. In addition, a null pointer bug in Telephony, exploited through a maliciously crafted SMS message, could lead to unexpected service interruption.
Other vulnerabilities affecting the iPhone and iPod touch addressed in this update are present in Exchange Support, MobileMail, UIKit and WebKit and could enable an attacker to cause a denial-of-service, launch a cross-site scripting attack or obtain deleted email messages and passwords, Apple said.
In addition to the bug fixes, a new anti-phishing feature for mobile Safari on the iPhone and iPod touch uses Google's Safe Browsing database
of websites that are known to host malware or phishing exploits. Mozilla Firefox, Google Chrome and Apple Safari already incorporate this technology into their browsers, so that when a user tries to visit a site flagged in Google's Safe Browsing database, a notification pops up alerting the user to the potential danger.
But this feature does not work consistently
on mobile Safari for the iPhone and iPod touch, Peter James, spokesman at Intego, told SCMagazineUS.com on Thursday. On testing the feature on various versions of the iPhone and iPod touch, Intego found that it only shows an alert some of the time. Intego is investigating if it's a specific internet network, mobile carrier or device model that the feature isn't working on, but hasn't found any pattern for the inconsistency.
“We found that some get alerts, others not,” James said. “We can't figure out why. We are totally perplexed about this.”
An Apple spokesperson did not respond to a request for comment on Thursday.