Forgot your password?
typodupeerror
Upgrades Businesses Communications Security Apple

Apple iPhone v1.0.1 Update Now Available 279

Posted by kdawson
from the more-better-security dept.
The Webguy writes "Apple has released the first update for the iPhone. Updated components in the v1.0.1 update include Safari, the WebCore, and the WebKit. Quoting from the Apple Knowledge Base, the 'update is only available through iTunes, and will not appear in your computer's Software Update application, or on the Apple Support Downloads site.'" One source speculated that Apple wanted to get fixes in users' hands ahead of the Black Hat conference where details of early iPhone vulnerabilities could be revealed.
This discussion has been archived. No new comments can be posted.

Apple iPhone v1.0.1 Update Now Available

Comments Filter:
  • by Man On Pink Corner (1089867) on Tuesday July 31, 2007 @09:17PM (#20065907)
    it would let me bookmark a Google Maps location.
    • Re: (Score:3, Informative)

      by furball (2853)
      Like arbitrary coordinates or an address? Because it can bookmark addresses and searches. I have McCarran International Airport (Las Vegas) bookmarked on my phone right now.
      • Re: (Score:3, Funny)

        by JonathanR (852748)
        What, are you hatching a terrorist plot?
    • you can always do it in safari.
  • by iluvcapra (782887) on Tuesday July 31, 2007 @09:25PM (#20065967)


    iPhone v1.0.1 Update

    Safari

    CVE-ID: CVE-2007-2400

    Available for: iPhone v1.0

    Impact: Visiting a malicious website may allow cross-site scripting

    Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.

    Safari

    CVE-ID: CVE-2007-3944

    Available for: iPhone v1.0

    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

    Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.

    WebCore

    CVE-ID: CVE-2007-2401

    Available for: iPhone v1.0

    Impact: Visiting a malicious website may allow cross-site requests

    Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.

    WebKit

    CVE-ID: CVE-2007-3742

    Available for: iPhone v1.0

    Impact: Look-alike characters in a URL could be used to masquerade a website

    Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.

    WebKit

    CVE-ID: CVE-2007-2399

    Available for: iPhone v1.0

    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

    Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
  • by qualidafial (967876) on Tuesday July 31, 2007 @09:29PM (#20065997) Homepage
    I'm writing this message from my iPhone and haven't noticed any problems at ~£]+~}2(&"@NO CARRIER
  • One Source? (Score:3, Insightful)

    by juuri (7678) on Tuesday July 31, 2007 @09:48PM (#20066141) Homepage
    Who, cmdrtaco?

    Slashdot has sources now? ... right!

  • updated (Score:4, Funny)

    by Fluk3 (742259) on Tuesday July 31, 2007 @09:52PM (#20066175)
    Feels Snappier(TM)
  • by lancejjj (924211) on Tuesday July 31, 2007 @10:26PM (#20066441) Homepage

    One source speculated that Apple wanted to get fixes in users' hands ahead of the Black Hat conference where details of early iPhone vulnerabilities could be revealed.
    Admittedly, I had speculated this, but I have no basis to believe that Apple "rushed out" these fixes or had a timeline based on the conference. Instead, my speculation was that Apple merely wanted these fixes out earlier than later, and that some on the inside were happy that the fixes were released in such a timely manner.

  • Interesting... (Score:5, Interesting)

    by Anonymous Freak (16973) <prius...driver@@@mac...com> on Tuesday July 31, 2007 @10:27PM (#20066447) Journal
    The first step after hitting go involves the iPhone going into a "Software Update" screen, then immediately going to an Apple logo with progress bar. On the computer, while the progress bar is going by, is displayed "Verifying Current iPhone Software"... Does this mean it's checking the existing install to make sure it's not hacked?

    Anyone with a hacked iPhone try this yet, and if so, any problems? I expect any hacks will have to be re-applied (or even re-discovered, if the hole that allowed them was patched.)

    (I haven't hacked my iPhone yet, but I would like to make sure Apple doesn't lock hacked ones out of updates.)
    • Re:Interesting... (Score:5, Informative)

      by wannasleep (668379) on Tuesday July 31, 2007 @10:40PM (#20066595)
      Yes it is checking the install for integrity... and it looks like it wipes out phones with some mods. It is not clear yet what mods trigger a complete wipe. It looks like ringtones and minor mods will survive the update. People are still testing.
    • Re: (Score:2, Informative)

      by dizneedave (1089861)
      Yep. It wiped my ringtones and my custom graphics. I thought this might happen. Now let's see if it actually fixed Safari so it doesn't crash every 10 minutes.
    • by voisine (153062) on Wednesday August 01, 2007 @12:05AM (#20067025)
      I just had some ringtones on there and the software verification failed. Had to do a full restore. It took longer and I have to re-hack it to get my cat-screech custom ringtone for the wife back, but otherwise painless.
      • Can you really hack the iPhone to add custom ringtones? If so, can you give a URL? I would love to buy an iPhone after trying it out in the Apple Store, but the SMS notification tone is unacceptable. I get automated SMS notifications at night for problems at work, which need to be able to wake me up from a drunken stupor. I had to replace some of the the default "message tones" on my last LG CU500 to make that happen. The iPhone doesn't even let you change the tone at all, and it's a short, quiet beep
        • Yes, you can. If all you want is to add custom ringtones, you can use a simple app like iFuntastic [modmyiphone.com]. If you want to replace existing other sounds (like the SMS tone you mention,) you need more in depth [ksilebo.com] methods.
    • Re: (Score:3, Informative)

      by bugnuts (94678)
      From a certain site that doesn't want to be slashdotted:

      The iPhone Software Update 1.0.1 has been released. Here are the things we currently know about it:

      * Full system wipe on modded phones (fails integrity check)
      * Downgrade does not work (Kind of mixed reports here. Apparently you can go through the process, but
      Settings > General > About still says 1.0.1)
      * The phone goes back through the activation process (DVD Jon's method ha

  • by chris_eineke (634570) on Tuesday July 31, 2007 @10:35PM (#20066557) Homepage Journal
    Isn't the iPhone a Newton 2.0?
    • It's Palm 10.0, if you think about how it really works... fundamentally, a device dervied from a newton would be all about handwriting recognition taken to the next level. the iPhone is about replacing the Grafitti input squares with a virtual keyboard, with some hint of the gesture recognition dispersed throughout the device.

      Also, it's what Palm should have developed about two years ago, if they hadn't lost focus on making great small device OSe's
      • by amper (33785) *
        The funny thing is, if there's enough of Mac OS X in there, it should be theoretically possible to port Inkwell to the iPhone. I'm sure Apple is thinking about this.

        And Palm? It seems to me that about the only chance Palm has for continued existence is to go back to their roots and release Graffiti (v1, not v2, now that the lawsuit is settled) for the iPhone. You *do* know that Palm's original product was Graffiti, right? And that one of the platforms it ran on was the Newton MessagePad?

        Honestly, I hope Pal
        • Re: (Score:3, Informative)

          by SuperKendall (25149)
          The funny thing is, if there's enough of Mac OS X in there, it should be theoretically possible to port Inkwell to the iPhone. I'm sure Apple is thinking about this.

          I don't think they are, because the finger is a terrible writing implement - that would be far more suited to a stylus I think.

          And Palm? It seems to me that about the only chance Palm has for continued existence is to go back to their roots and release Graffiti (v1, not v2, now that the lawsuit is settled) for the iPhone. You *do* know that Palm
          • I don't think they are, because the finger is a terrible writing implement - that would be far more suited to a stylus I think.
            Nonsense. You just need a fingersharpener.
      • It's got nothing to do with Newton, Palm, Pocket PC, Symbian/EPOC devices, or any other smartphone or PDA, because you can't run anything but Apple's software on it.

        It's basically a canned email/browser device like WebTV in a pocket form factor, with a handful of common organizer applications baked into the image, like Royal's old line of organizers.
  • One fix that I found (Score:4, Informative)

    by jht (5006) on Tuesday July 31, 2007 @10:53PM (#20066665) Homepage Journal
    VPN connections work correctly now. Before, it wouldn't save my PPTP password and then when it connected it would bring up a password entry box with only numeric characters allowed. I didn't try VPN with a password not saved, but at least saved password behavior is correct.

    The update took around 7-8 minutes altogether. Left a ".ipsw" file in my ~/Library/iTunes/iPhone Software Updates folder which presumably contains the image.
  • Sooooo.... (Score:5, Funny)

    by kollywabbles (645848) on Tuesday July 31, 2007 @11:07PM (#20066743)
    can I replace the battery now?
    • You could replace it anytime you liked, just like you could with iPods.

      I personally don't mind sending it to Apple in three years or so, when it's at 80% capacity... or I may not, as it is the battery is plenty enough for me.

      If you enjoy having to replace batteries more often just because you can, and having shorter battery life - more power to you (so to speak).
    • nope. you can still send it in to apple where they will... well, what will they do exactly?

      i suppose, if i had an iphone, i'd try to find a way of wiping the memory bigtime before sending the device in to have its battery replaced. then i could be sure that apple wasn't gathering personal information about me.
    • by tm2b (42473)
      Sure. For $20, even. [brando.com.hk]

      That'd be funny if it was posted two weeks ago. As is... just lame.
  • by HighBit (689339) on Tuesday July 31, 2007 @11:38PM (#20066889)
    Is anyone else seeing this? My iPhone will not charge via the wall adapter after applying the update. Charging from the computer works fine, but I get nothing when it's plugged in via the wall adapter.
  • For a device as advanced as the iPhone, I'm shocked that this update can't be automatically done via WiFi or EDGE. I mean, it's practically a freaking computer on its own, and doesn't need to be tethered to yet another device.

    Dear Apple,

    Please stop selling out. You're on a slippery slope, and we won't forgive you another time after you slipped up in the 90s.

    Sincerely,
    Your customers.
    • Re: (Score:3, Insightful)

      by mr_matticus (928346)
      Yeah, because what everyone needs is a download or patching failure to brick their phone while they're traveling. Needing a computer allows you to backup/sync data beforehand and gives you the tools to do a restore if need be (for example, if a wonky hack bricks the update).

      Just because data and an installer can be delivered doesn't mean it's a brilliant plan.

      But I just have to ask: to whom has Apple sold out by requiring you to sit down at your computer to update a mobile device?
      • Requiring iTunes to manage the thing even for people explicitly not using it as a glorified iPod doesn't sound like a particularly great idea.

        Likewise, I don't think all that many people tend to make a regular habit of plugging their phones into their computers.

        It's perfectly technically feasible, and in all likelihood would be easier for the user to update wirelessly. Requiring iTunes was a business decision plain and simple.
        • You've clearly never owned a smartphone. Plugging it into the computer is the way it's done. You install updates, ROM flashes, most third-party software, and do syncing and backup all through ActiveSync. It's a nice, proprietary application, too.

          Mac users were screwed until someone created a hack that would let them work. Early Vista adopters (myself included) were screwed until after the retail release because Sync Center, which replaced ActiveSync, didn't actually do anything like, you know, syncing.
    • I mean, it's practically a freaking computer on its own, and doesn't need to be tethered to yet another device.

      The iPhone is a flash-based iPod video with a piss-poor phone and some rudimentary web and e-mail clients. Nothing more, nothing less. People with Blackberries and Palm smartphones are thoroughly unimpressed.... when's the last time you saw a story of a non-Mac-fanboi ditching their Blackberry for an iPhone with nowhere near the capabilities of their old device?

      • Re: (Score:3, Insightful)

        by syrinx (106469)
        when's the last time you saw a story of a non-Mac-fanboi ditching their Blackberry for an iPhone

        I assume "never", since according to you anyone who did ditch their Blackberry for an iPhone would, by definition, be a "Mac-fanboi".

        No true Scotsman puts sugar on his porridge. [wikipedia.org]

    • by Com2Kid (142006)

      For a device as advanced as the iPhone, I'm shocked that this update can't be automatically done via WiFi or EDGE

      Firmware Updates are done tethered for good reasons. Typically modern cell phones support limited over the air (OTA) updates, but firmware updates fall outside those bounds.

      The reasons? If anything goes wrong, the phone is effectively dead. The firmware[1] is the first thing that a phone loads when it is booted. If anything goes wrong during a firmware update and the firmware becomes corrupte

  • by gig (78408) on Wednesday August 01, 2007 @12:24AM (#20067131)
    This is the first time ever that a vulnerability has been found in a smart phone and it's been patched ahead of the public demo of the exploit.

    There is this meme that the iPhone is not ready for the enterprise because it doesn't have MAPI and special I-T management tools. Yet here we have the first vulnerability in the iPhone and it is promptly patched through a system that will distribute the patches very quickly and easily. A stark contrast to other mobiles. There are multiple holes in Symbian and of course Windows Mobile that remain completely unpatched. Nobody knows when that is going to change. For all the enterprise bluster around those systems they are not patching zero-day exploits.

    There are many reasons that the Mac is more secure than Windows, but a big reason is that OS X is such a moving target. Every quarter for 5 years there has been a new version which updates itself automatically. Exploits are made less valuable not just because of the smaller user base than Windows, but also because of the short shelf life of each OS version. The vast majority of Mac users are using the very latest OS and have all the patches applied even though the vast majority of Mac users have no I-T staff and no I-T skills.

    When the iPhone first shipped and people started hacking it, there was a lot of talk then that every hack may be temporary, a software update could come down through iTunes at any time and reset the game. There is nothing like that protecting any other mobile.

    • by prockcore (543967)

      This is the first time ever that a vulnerability has been found in a smart phone and it's been patched ahead of the public demo of the exploit.


      And smartphones have been running Windows for 7 years now... no vulnerabilities. I fail to see how that is anything but a huge win for Microsoft.
    • by jrumney (197329)

      There are multiple holes in Symbian and of course Windows Mobile that remain completely unpatched. Nobody knows when that is going to change.

      Anyone who has done the smallest amount of investigation into the smartphone platforms will know that OTA updates are a standard part of Windows Mobile 6. So somebody does know when it is going to change.

    • There is this "meme" spreading that the iPhone is a general purpose computer that could be useful to an enterprise.

      Did they patch that flaw?

      (And please provide links to these ZOMG 0-day SPLOITZ! I have a great need to take over phones and bring down the network. HACK THE PLANET!)
  • If you receive a call in the middle of the update, it will probably crash, forcing a slow restore.

    Me? I'm bitter and lonely, I could update the phone on my birthday with no concerns.

    But normal people will probably want to do it later at night to prevent a painful experience.

    • by sydsavage (453743)
      If that's true, wouldn't puting it in "I'm on a plane" mode before updating prevent that from happening?
    • by e4g4 (533831)
      Umm...I think it's highly unlikely that the radio will be on when the phone is being updated.
  • In other news (Score:2, Insightful)

    by wanted (66025)
    Microsoft relased Service Pack 15 for Windows 2000. News at 11.

    Seriously, are we going to make a story out of every point release of iPhone's firmware?
  • the phone works well after the update, and does actually already show signs of improvement in performance. To some extent, I got around the crashing with reboots and recharges, or just used it in different ways. In the time spent this evening, it has not dropped to the main screen once. More remains to be seen, but this is what I was waiting for. The first proof that Apple is going to follow a proper release and update cycle.

    It's obvious when you use the iPhone for a while that there are unfinished feat

Genius is ten percent inspiration and fifty percent capital gains.

Working...