Network News

X My Profile
View More Activity

Apple iPhone Four Months Behind OS X in Patches

Apple's iPhone runs a miniature version of OS X, the operating system that powers Mac computers. So it's fitting that Apple designed the iPhone to check for security updates whenever users fire up iTunes with their iPhone attached.

But it might surprise iPhone users to learn that the latest security update available for the iPhone dates back to February, and that a number of serious security vulnerabilities that Apple long ago patched in OS X remain unaddressed in the most recent version of the iPhone.

In seeking confirmation of this, I spoke recently with Charlie Miller, one of the foremost OS X and iPhone security researchers. Miller confirmed that the iPhone updater tells users that if they have version 1.1.4 installed then they are running the most current version. The problem is that this update does not include fixes for a slew of security holes in the Safari Web browser and other OS X components upon which the iPhone relies heavily.


"Apple should either update their software like they do with the core operating system, or otherwise don't advertise the fact that the iPhone checks for updates every week," Miller said. "Right now, an iPhone user is going to think they're up-to-date because there's no patch available, but the reality is that users are only as secure as they were back in February."

iPhones running the latest software updates from Apple are vulnerable to a critical Safari flaw that Miller exposed in March at the CanSecWest security conference, where he won the $10,000 "Pwn to Own" contest, which challenged researchers to find a previously unknown, remotely exploitable security hole in the Apple MacBook Air.

Apple fixed the Safari bug in mid-April, but Miller says it remains unpatched in the iPhone, along with pretty much any other fix that Apple made to Safari Webkit or Webcore since late February, when Apple released the 1.1.4 version of the iPhone firmware.

Miller says he recently created a tool to exploit the Safari vulnerability on an iPhone. Using the exploit, an attacker who convinces an iPhone user to click on a malicious link could steal the victim's call records or contacts, send text messages or read the user's sent and received messages, and make outgoing calls, among other things.

Miller has since detailed this iPhone exploit to HD Moore, who runs the Metasploit Project. In an e-mail to Security Fix, Moore said he hasn't yet added it to Metasploit, but plans to do so soon.

It could well be that Apple has been dragging its feet in patching iPhone vulnerabilities because it is focusing on rolling out version 2.0 of the iPhone, which will be released next week.

Speaking of old vulnerabilities hanging around, Rixstep today published a writeup that shows how any user can quickly get any application they want to run at startup on OS X, even in the most recent, patched version of Leopard. This is fully exploitable by a user sitting directly in front of the computer, but for remote attackers it's a classic "privilege escalation" vulnerability, in that it generally needs to be exploited in tandem with a separate security hole in order to work. In any event, the code posted on the Rixstep blog allows any application or user that does not have all-powerful "root" administrative privileges to assume those rights (well, after a reboot, anyway).

By Brian Krebs  |  July 2, 2008; 5:00 PM ET
Categories:  From the Bunker , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Breach Exposes Info on Pre-'06 Google Hires
Next: Lithuania Weathers Cyber Attack, Braces for Round 2


Apple needs to harden OS X. But the terrorists are going to be able to get into your computer anyway. After all, they have unlimited funding.

What would be more useful than listing vulnerabilities is publishing tutorials on command line tools that would help the average user detect the terrorists earlier. Instead of chasing every specific bug, more general approaches would be more useful: intrusion detection, hardening, firewall enhancements- You will never be able to catch every little mosquito or be completely up to date but basic shell practices can be used by your readers across platforms.

Have you found any vulnerabilities in the OpenMoko phone yet?

Posted by: Singing Senator | July 2, 2008 7:21 PM | Report abuse

"In any event, the code posted on the Rixstep blog allows any application or user that does not have all-powerful "root" administrative privileges to assume those rights"

This is not correct; only users in the admin group have the ability to write to the /Library/Preferences directory and trigger the vulnerability.

Posted by: El Bo | July 2, 2008 7:43 PM | Report abuse

What kind of "journalist" takes Rixstep as a reliable source on OS X security?

Posted by: GuessWho | July 2, 2008 9:10 PM | Report abuse

From the IPs attached to these comments....It's good to see so many people from Apple reading this blog.

The nice people from Adobe, Mozilla and Sun all use their real names when leaving comments, even when the comments are vaguely insulting or take issue with something I've written.

I wonder why Apple employees never use their real names when commenting, or at least acknowledge that they work at Apple?

Care to address the central issue of this post (lack of updates for the iPhone)?

Posted by: Bk | July 2, 2008 9:28 PM | Report abuse

"I wonder why Apple employees never use their real names when commenting, or at least acknowledge that they work at Apple?"

Because they know they're deep in enemy territory when they visit a Brian Krebs page.

Posted by: zato | July 2, 2008 10:17 PM | Report abuse

so they need to update their software.
Gee seems to me any one with a brain cell functioning knows that version 2 software is out in about a week and know this for a long time.. Wouldnt it be better to wait a wek and report back them... Something smells bad. Sure doesnt add to your credibility at all does it

Posted by: shane blyth | July 2, 2008 10:35 PM | Report abuse

@shane: "Gee seems to me any one with a brain cell functioning knows that version 2 software is out in about a week and know this for a long time."

Aaaaand what about during the other 18 weeks since February?

Posted by: Adam | July 2, 2008 11:05 PM | Report abuse

Computing is as safe but it is always the users who trigger the trojans and the leaky OS that allows the system to be attacked.

BTW Safari is great because it has auto spellcheck and fast.

Posted by: Applefanboi | July 2, 2008 11:41 PM | Report abuse

I quote
" @shane: "Gee seems to me any one with a brain cell functioning knows that version 2 software is out in about a week and know this for a long time."

Aaaaand what about during the other 18 weeks since February?"

what about the other 18 weeks? They are gone and My point was why wait till 1 week before a major software update release to moan rather than report 1 week later. I dont know anyone who has had an iphone security issue either. So leave it another 7 days and give us a more accurate statement about the state of it's security and then compain it took em so long and if they have fixed issues of security then you can say good if not then you can nail them. I mean it is only 1 more week! Just my opinion

Posted by: shane blyth | July 3, 2008 2:13 AM | Report abuse

you guys didn't really think those previous iphone updates were about security, did you? sure, apple included some updates, but what they really wanted to do was control the user and block people from unlocking the phones for use on other carriers or for writing applications to the phone.

once apple saw that this was a fruitless arms race, they gave up on iphone patching, period.

to shane: calling attention to the fact that apple hasn't patched the iphone in four months *before* they issue the next version seems like a better option than *after* because it holds the possibility that apple might actually be forced into doing the right thing...that is, actually patching the phone.

Posted by: nl | July 3, 2008 8:05 AM | Report abuse

If a terrorist (my, how over-the top this overused word is) is going to attack the so-called vulnerabilities of the iPhone, you know it's going to be a Bush NeoCon.

A Bush NeoCon is that peculiar form of American who does what he/she wants, no matter that the activity may be anti-Constitutional or otherwise illegal. Spearheading these exploits is V. P. Gen. Cheney under the "inspired" philosophical guidance of Prof. John Yoo.

Posted by: vanax | July 3, 2008 8:33 AM | Report abuse

May I have your articles in my site, this is really good.

Posted by: Linda | July 3, 2008 11:14 AM | Report abuse

@ zato: "enemy territory?" I hope that comment was facetious. Seems to me we're all on the same side here: learning about how to keep our stuff secure. How can BK or his "Security Fix" be an enemy when pointing out security weaknesses, no matter the system, device, or appliance?

Posted by: Pete from Arlington | July 3, 2008 11:31 AM | Report abuse

7bBtOx fjosahfjk hajkfhs jkahfshafuksahfuas f8syaifa765978thsgjknd sjkgdjksbgjkds

Posted by: 1800 | July 3, 2008 2:52 PM | Report abuse

I really like Apple products in general, save for the 1 G machine that is not ever going to stay repaired (been to the store twice now).
As for the iPhone, I really don't like it- screen's too small, damn things all tied up to vendors, and I really think the thing is little more than a very expensive Minux hardware application.
Just my opinion.

Posted by: Tonio | July 3, 2008 3:46 PM | Report abuse

I like Rixstep, and the general sense in which they hold Apple accountable to software quality.


That "exploit" requires you to enter an administrator password to install the updated plist. So it is not a true vulnerability. On this occasion Rixstep "overstep" the mark by claiming that "anyone" can do it.

On the other hand, the continuing ARDAgent flaw is a real vulnerability, because it offers privilege escalation without the need for an administrator password....

You should update your article to make this clear...

Posted by: Rodney | July 4, 2008 12:30 AM | Report abuse

All of us are not on the same side. For example, if you are on the side of Dubya, you are not on my side. My side is not on the side of unlimited funding. Bush is on the side of unlimited funding for his war. Unfortunately, congress continues to fund his unlimitedly funded war, so the Congress that I voted for is not on my side.

Only the Apple logo is on my side. If there were some way to replace Jesus with the Apple logo in church, and each altar having a Mac from which the priest reads the Bible, I would be much happier and have more faith in the life of Mac rather in the fake death of Christ.

I invite you, Zato, to join me on my side, the one on the side of the Apple Logos. *S*

Posted by: Vito Positano | July 4, 2008 8:46 PM | Report abuse

Apple has been notorious in the security community for lack of communication, so who knows if there actually will be an update for the first generation iPhone on Friday that addresses the security flaws found in OS X and Safari. Apple has also be one of the slowest entities to act when a security flaw is published. I think that in the past 2 years they have gotten much better, average time to fix is somewhere around 32 days now I think, whereas in the past it was 91 days. Though, I don't believe the 32 days figure was calculated taking iPhone into account, just the core Mac OS X. Obviously, the iPhone takes Apple's security efforts in the wrong direction.

Posted by: interested | July 7, 2008 1:48 PM | Report abuse

I have long thought that APPLE needs to be taken to court over its fleecing of iPhone customers, locking its iPhone customers in a box, and not supporting its iPhone customers at all. i have an iPhone that is not hacked, no official apps (are there any?), no security, and i cant even use the damn disk space how i want!! i paid for ownership of the phone, yet i cannot do as i please with it... F@CK APPLE!!

oh yeah... its a 400 dollar phone and it doesnt come with a single game on it? what a cheap a$$ excuse of a company.

Posted by: Jesse | July 8, 2008 2:33 PM | Report abuse

Posted by: com | August 18, 2008 11:09 AM | Report abuse

Posted by: com | August 18, 2008 11:22 AM | Report abuse

Posted by: com | August 18, 2008 12:40 PM | Report abuse

Posted by: com | August 18, 2008 12:40 PM | Report abuse

Posted by: com | August 18, 2008 12:51 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company