Apple iPhone v1.0.1 Update Now Available

The Webguy writes "Apple has released the first update for the iPhone. Updated components in the v1.0.1 update include Safari, the WebCore, and the WebKit. Quoting from the Apple Knowledge Base, the 'update is only available through iTunes, and will not appear in your computer's Software Update application, or on the Apple Support Downloads site.'" One source speculated that Apple wanted to get fixes in users' hands ahead of the Black Hat conference where details of early iPhone vulnerabilities could be revealed.

Sure wish...

[Man On Pink Corner (1089867)]

it would let me bookmark a Google Maps location.

Re:

[furball (2853)]

Like arbitrary coordinates or an address? Because it can bookmark addresses and searches. I have McCarran International Airport (Las Vegas) bookmarked on my phone right now.

Re:

[JonathanR (852748)]

What, are you hatching a terrorist plot?

Here's a way

[SuperKendall (25149)]

When you are at the area you want to save, search for a road name visible on the map. Searches take place primarily in the area you are viewing, so if the road is small enough you'll get a pretty exact location you can bookmark to return to that area.

If you use a major road name, the location chosen might be in the middle of the stretch of roadway, so try to use smaller streets if you can.

Re:

[Man On Pink Corner (1089867)]

Yeah, unfortunately, using Google Maps is really awkward. I can't even tell how to scroll the map, frankly, since there's no way for the phone to confuse an AJAX "dragging" operation with the normal page-scrolling action.

A Description of the Patches from Apple:

[iluvcapra (782887)]

iPhone v1.0.1 Update

Safari

CVE-ID: CVE-2007-2400

Available for: iPhone v1.0

Impact: Visiting a malicious website may allow cross-site scripting

Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.

Safari

CVE-ID: CVE-2007-3944

Available for: iPhone v1.0

Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.

WebCore

CVE-ID: CVE-2007-2401

Available for: iPhone v1.0

Impact: Visiting a malicious website may allow cross-site requests

Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.

WebKit

CVE-ID: CVE-2007-3742

Available for: iPhone v1.0

Impact: Look-alike characters in a URL could be used to masquerade a website

Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.

WebKit

CVE-ID: CVE-2007-2399

Available for: iPhone v1.0

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.

Re:

[toleraen (831634)]

What, did you expect Apple's servers to get slashdotted by this post? Somehow I don't think news about a security update will generate as much traffic to their site as say, a steve jobs keynote would.

Re:A Description of the Patches from Apple:

[chefmonkey (140671)]

Viewing a maliciously crafted web page may lead to arbitrary code execution

Arbitrary code execution? But isn't that what every iPhone user has been clamoring for?

Re:Copy and Paste from linked article - karma whor

[iluvcapra (782887)]

Yes, but you can't argue with success ;)

It's nice just to have it on the page to look at. Besides, how many people are going to actually read it anyways?

Re:

[iluvcapra (782887)]

Oooh, I'm taking a hit for that one :P

Copy/paste

[by Anonymous Coward]

It's informative because he did it on an iPhone! (Haha, I made a funny! You can't copy/paste on an iPhone!!) :-P

My iPhone seems fine...

[qualidafial (967876)]

I'm writing this message from my iPhone and haven't noticed any problems at ~£]+~}2(&"@NO CARRIER

One Source?

[juuri (7678)]

Who, cmdrtaco?

Slashdot has sources now? ... right!

updated

[Fluk3 (742259)]

Feels Snappier(TM)

Clarification on my speculation.

[lancejjj (924211)]

One source speculated that Apple wanted to get fixes in users' hands ahead of the Black Hat conference where details of early iPhone vulnerabilities could be revealed.

Admittedly, I had speculated this, but I have no basis to believe that Apple "rushed out" these fixes or had a timeline based on the conference. Instead, my speculation was that Apple merely wanted these fixes out earlier than later, and that some on the inside were happy that the fixes were released in such a timely manner.

Interesting...

[Anonymous Freak (16973)]

The first step after hitting go involves the iPhone going into a "Software Update" screen, then immediately going to an Apple logo with progress bar. On the computer, while the progress bar is going by, is displayed "Verifying Current iPhone Software"... Does this mean it's checking the existing install to make sure it's not hacked?

Anyone with a hacked iPhone try this yet, and if so, any problems? I expect any hacks will have to be re-applied (or even re-discovered, if the hole that allowed them was patched.)

(I haven't hacked my iPhone yet, but I would like to make sure Apple doesn't lock hacked ones out of updates.)

Re:Interesting...

[wannasleep (668379)]

Yes it is checking the install for integrity... and it looks like it wipes out phones with some mods. It is not clear yet what mods trigger a complete wipe. It looks like ringtones and minor mods will survive the update. People are still testing.

Re:Interesting...

[voisine (153062)]

I just had some ringtones on there and the software verification failed. Had to do a full restore. It took longer and I have to re-hack it to get my cat-screech custom ringtone for the wife back, but otherwise painless.

Re:

[bugnuts (94678)]

From a certain site that doesn't want to be slashdotted:

The iPhone Software Update 1.0.1 has been released. Here are the things we currently know about it:

* Full system wipe on modded phones (fails integrity check)
* Downgrade does not work (Kind of mixed reports here. Apparently you can go through the process, but
Settings > General > About still says 1.0.1)
* The phone goes back through the activation process (DVD Jon's method ha

Now that I'm thinking about it...

[chris_eineke (634570)]

Isn't the iPhone a Newton 2.0?

Nope, Palm 10.0

[SuperKendall (25149)]

It's Palm 10.0, if you think about how it really works... fundamentally, a device dervied from a newton would be all about handwriting recognition taken to the next level. the iPhone is about replacing the Grafitti input squares with a virtual keyboard, with some hint of the gesture recognition dispersed throughout the device.

Also, it's what Palm should have developed about two years ago, if they hadn't lost focus on making great small device OSe's

Re:

[amper (33785)]

The funny thing is, if there's enough of Mac OS X in there, it should be theoretically possible to port Inkwell to the iPhone. I'm sure Apple is thinking about this.

And Palm? It seems to me that about the only chance Palm has for continued existence is to go back to their roots and release Graffiti (v1, not v2, now that the lawsuit is settled) for the iPhone. You *do* know that Palm's original product was Graffiti, right? And that one of the platforms it ran on was the Newton MessagePad?

Honestly, I hope Pal

Re:

[SuperKendall (25149)]

The funny thing is, if there's enough of Mac OS X in there, it should be theoretically possible to port Inkwell to the iPhone. I'm sure Apple is thinking about this.

I don't think they are, because the finger is a terrible writing implement - that would be far more suited to a stylus I think.

And Palm? It seems to me that about the only chance Palm has for continued existence is to go back to their roots and release Graffiti (v1, not v2, now that the lawsuit is settled) for the iPhone. You *do* know that Palm

One fix that I found

[jht (5006)]

VPN connections work correctly now. Before, it wouldn't save my PPTP password and then when it connected it would bring up a password entry box with only numeric characters allowed. I didn't try VPN with a password not saved, but at least saved password behavior is correct.

The update took around 7-8 minutes altogether. Left a ".ipsw" file in my ~/Library/iTunes/iPhone Software Updates folder which presumably contains the image.

Sooooo....

[kollywabbles (645848)]

can I replace the battery now?

iPhone doesn't charge after update?

[HighBit (689339)]

Is anyone else seeing this? My iPhone will not charge via the wall adapter after applying the update. Charging from the computer works fine, but I get nothing when it's plugged in via the wall adapter.

In Your Face "Enterprise" iPhone Bashers

[gig (78408)]

This is the first time ever that a vulnerability has been found in a smart phone and it's been patched ahead of the public demo of the exploit.

There is this meme that the iPhone is not ready for the enterprise because it doesn't have MAPI and special I-T management tools. Yet here we have the first vulnerability in the iPhone and it is promptly patched through a system that will distribute the patches very quickly and easily. A stark contrast to other mobiles. There are multiple holes in Symbian and of course Windows Mobile that remain completely unpatched. Nobody knows when that is going to change. For all the enterprise bluster around those systems they are not patching zero-day exploits.

There are many reasons that the Mac is more secure than Windows, but a big reason is that OS X is such a moving target. Every quarter for 5 years there has been a new version which updates itself automatically. Exploits are made less valuable not just because of the smaller user base than Windows, but also because of the short shelf life of each OS version. The vast majority of Mac users are using the very latest OS and have all the patches applied even though the vast majority of Mac users have no I-T staff and no I-T skills.

When the iPhone first shipped and people started hacking it, there was a lot of talk then that every hack may be temporary, a software update could come down through iTunes at any time and reset the game. There is nothing like that protecting any other mobile.

Re:In Your Face "Enterprise" iPhone Bashers

[SuperKendall (25149)]

Quickly and easily? That's crap, and you know it. Quickly and easily would be for the iPhone to update over the air, like the T-Mobile Sidekick does. Having to connect the device to a PC running iTunes isn't "quick" or "easy".

It is, if you have a PC or mac??? I found it quick and easy. OTA might be a little nicer, but given that I sync once a day or so for calendar updates and other refreshes, it's easy enough.

Tell me, how is IT is going to push patches to the device?

The whole point was they don't need to, because it's easily handled by the user. Less IT work is a good thing, if you can just release your claws a little from grasping everything that comes within reach.

How are users going to know to apply the patch?

Software automatically prompts them to do so within seven days of the last check, so worst case in six days or so the last people should be updating the phones (unless they sync less frequently). Just like OS X updates, with 99% of the user population apply just fine with no IT involvement. I know the concept is just blowing your mind, but updates don't have to involve "support staff".

What if they have disabled patching?

You can't, though you could decline the update. But why would you? Remember, most users just hit "yes".

How do we ensure compliance? What's to stop iPhone 1.0 users/devices from connecting and downloading sensitive data?

Within a week there will be no iPhone 1.0 devices. You aren't getting the Big Picture here.

Here's a pop quiz - the CFO's iPhone is lost/stolen. What do you do?

What you can. Here's the kicker - this is true of your CFO right now, regardless of your feelings! So what are YOU doing other than putting your head in the sand? When have CFO's ever really been "managed" anyway?

Bullshit. Mac OS X is fundamentally unchanged from when Tiger came out two years ago.

Illusion! All those security updates, with patches to sshd and the like - they were all figments!

You have no idea how patching works in IT. We don't necessarily WANT users to have "all the patches applied", at least not right away. IT needs to control patch delivery to limit compatibility issues. Or do you believe that patches never break anything?

More sand-holing. How sad. Learn to deal, you have seven days before everyone is patched, figure it out if something doesn't work - but then again, since you can't install your own software anyway what exactly would break again?? Since you aren't doing the updates why are you taking support calls for the thing? Point them to Apple.

Presumably when third party software arrives, it will keep in step with iPhone updates just as software does with OS X updates.

Windows Mobile 6 devices can be patched over the air, and patch delivery can be managed with a variety of third-party tools.

Oh, you're one of THOSE people. No wonder the big picture is so elusive to you. You've forgotten who you serve.

Re:

[goodmanj (234846)]

The "moron"-level user, which IT security nazis seem to spend all their time worrying about, docks his iPhone every day or two. He does this to charge it, and to get his music, calendars, contacts, etc synced with his computer. Whenever he does this, he will automatically get the update. Unless he clicks "don't update". If you're worried about users rejecting updates, you should worry about them trying to swallow the phone too.

People have complained about how the iPhone is tethered to a desktop computer

Re:In Your Face "Enterprise" iPhone Bashers

[goodmanj (234846)]

The whole point was they don't need to, because it's easily handled by the user. Less IT work is a good thing, if you can just release your claws a little from grasping everything that comes within reach.

If I can jump on the bandwagon again here, let me tell you a story.

Once upon a time, in the distant '80s, there was a large research lab. This lab did a lot of work with computers. The computers of the day were giant VAXen which filled a basement room, with tentacles reaching out to terminals in users' offices throughout the building. The computers was complicated and confusing, and an army of highly trained, very smart support people worked on them. These high priests and acolytes lurked in the basement, worshipping the VAX god and interpreting its prophecies to the users. They did this job well.

But the users looked at the sacrifices they were making to the VAX god and its acolytes, and realized, "I can get much more done with far less money if I buy a small workstation for my office." The priests in the basement said, "but we won't be able to control and service the machine. What will you do when it breaks?" The users replied, "I'll buy a new one. They cost as much as two days of your salary." Lo, the priests in their basement temple feared for their jobs, feared that their great god, the source of their power, would be lost forever.

The priests were right, up to a point. The workstation users discovered viruses, and hackers, and spam, and the rest of the ten plagues of the Internet. They learned to do some of the work the priests once did on the VAX. But the new workstations were so much cheaper, and so much easier to use and maintain, that they found it a fair trade. The great VAX was cast out of the basement, and died the sad death of all forgotten gods, but the priests met a happier ending. The eldest took a generous early retirement; the neophytes re-trained, and learned to serve the new pantheon of desktop workstations. By letting go, by giving up their ability to control and manage and dominate, the priests made their users happier and more productive, and saved the lab a hell of a lot of money. ...

Then, one day, in the empty, dusty temple where the VAX god was once worshipped, the first Beowulf clusters sprouted. And as they grew and spread their tentacles, a new breed of priests arose to serve them...

Who is more ignorant

[SuperKendall (25149)]

This is, by far, the most ignorant security comment on Slashdot I have ever read. You are a fool sir, at least when it comes to security.

What I am is a security REALIST. What I realize is that people are "in UR Enterprize iPhoneinating UR Network". So who is more ignorant, the one who thinks about how this device can fit in as-is because it's going to anyway even if you don't want it, or someone who whines about lack of IT controlled updates and pretends like it's not already affecting you.

Welcome to real

Re:hmmm or not

[Necroman (61604)]

You have to press the "Check for Updates" button in iTunes to get it. iTunes only auto-checks for updates every 7 days or so.

Re:

[TubeSteak (669689)]

You have to press the "Check for Updates" button in iTunes to get it. iTunes only auto-checks for updates every 7 days or so.

So if someone patched iTunes to prevent it from fetching iPhone updates...
You could theoretically mod your phone and iTunes wouldn't stop working because of pending updates?

Re:

[Necroman (61604)]

Nope, it asks if you watch to patch, you don't have to. From what I can tell, you are more than welcome to keep running 1.0.0 version of the iPhone firmware.

Re:hmmm or not

[node 3 (115640)]

Are you sure that it will ask you about a patch that is critical for Apple's revenue stream?

Absolutely. Apple *always* asks.

oops

[sam_paris (919837)]

Ok I have it now, but rather worryingly, half way through installation the process has stalled and my phone is currently ibricked :(

Re:

[by Anonymous Coward]

It takes a long time to get moving again once it stalls at the halfway point, but it does eventually continue. 5-10 minutes total, in my case.

Re:

[shawnce (146129)]

Did you take it out of the dock? Anyway if need run the restore option that iTunes provides.

(my update worked without issue, it did "stall" for about 2 minutes during the updating firmware stage)

Re:

[djh101010 (656795)]

Am I the only one who thinks it's really silly that the only channel through which to update your phone (or, put in another way, your slightly-locked-down, general purpose hand-held computer and communications device) is... is... your MUSIC PLAYER!?

(it is called itunes, no?)

Am I the only one who finds it amusing that people are so desperate to find something, anything, negative to say about the iPhone that they pick something like this to complain about? That, and if you're on a PC and going to sync an iPhone, which includes an iPod (needs iTunes), why would you want _another_ app to do the syncing of the stuff on the iPhone that isn't music? It's the most logical place for that functionality.

Re:

[Anonymous Freak (16973)]

Hrm... Halfway through, iTunes gave me an "Update could not be completed" error, although the progress bar on the iPhone itself is still going.

Due to the Slashdot length-between-posts time limit, I have had time to let it finish, and it looks like it worked just fine. Although I currently have no cell phone signal, even though it's in the exact same location that it had a full signal before the update..... Ah, there we go. Signal is back. Sync failed, though. It's losing the connection to the iPhone..

Re:oops

[stonedcat (80201)]

Your struggle had me gripping the edge of my seat.

Re:

[by Anonymous Coward]

Makin love to his tonic and gin

Re:

[Amouth (879122)]

i thought it was kinda nice of someone to do.. i love that song.. and it helped break up the whineing that 90% of these "discussions" turn into....

Re:

[by Anonymous Coward]

So you held the iPhone in the other hand?

Remind me not to borrow your iPhone.

Re:

[sqrt(2) (786011)]

Informative? Informative!?

Yes, waiter, another glass of kool-aid please.
(captcha: ravening)

Re:My iPhone got me laid

[AmberBlackCat (829689)]

An iPhone will work, but really it could be any item that indicates to the woman that you're willing to spend hundreds of dollars on something pretty.

Re:Uh...

[dfghjk (711126)]

Where did the author say it was surprising(, exactly)?

Of what use is your comment, exactly?

Re:

[Internet Ronin (919897)]

Well there is the fact that it doesn't break any of the existing hacks for the iPhone...

Re:

[mr_matticus (928346)]

Yeah, because what everyone needs is a download or patching failure to brick their phone while they're traveling. Needing a computer allows you to backup/sync data beforehand and gives you the tools to do a restore if need be (for example, if a wonky hack bricks the update).

Just because data and an installer can be delivered doesn't mean it's a brilliant plan.

But I just have to ask: to whom has Apple sold out by requiring you to sit down at your computer to update a mobile device?

Re:

[syrinx (106469)]

when's the last time you saw a story of a non-Mac-fanboi ditching their Blackberry for an iPhone

I assume "never", since according to you anyone who did ditch their Blackberry for an iPhone would, by definition, be a "Mac-fanboi".

No true Scotsman puts sugar on his porridge. [wikipedia.org]