Earlier this year, Security Fix criticized Apple for making iPhone users wait for security updates that Apple had fixed in its other products four months earlier. Now, it appears that iPhone users may have received a patch for a critical security hole four months before Apple fixed the flaw in its other products.

Taking a look at the vulnerability summary from the update Apple released last week to fix critical vulnerabilities in Mac and Windows versions of its Safari browser, we can see that Apple corrected a serious flaw in WebKit, the rendering engine used by Safari on Mac OS X, Windows and the iPhone:

WebKit CVE-ID: CVE-2008-2303 Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

It looks like Apple fixed this same vulnerability in the iPhone's version of Safari back in July, when it shipped its 2.0 version of the iPhone's software. From that vulnerability advisory:

Safari
CVE-ID: CVE-2008-2303
Available for: iPhone v1.0 through v1.1.4,
iPod touch v1.1 through v1.1.4
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

Apple hasn't responded to a request for comment. It's possible that Apple's security team failed to realize the problem reported by Google was not limited to Safari but extended also to WebKit. Still, it seems odd that Apple would not check for that possibility back when this was first reported. If I were a bad guy looking for a way to attack Safari users, I would have definitely been interested in that July advisory.

Update, 1:20 p.m. ET: Looks like this was just an anomaly. Apple today released version 2.2 of the iPhone software, and a number of the security updates included in it were fixed months ago in security updates for other software.

CVE-2008-2321 - Fixed Aug. 01 in Security Update 2008-005

CVE-2008-2327 - Sept. 15 in Security Update 2008-006.

CVE-2008-4211 - Fixed Oct 9, in Security Update 2008-007

By Brian Krebs  |  November 20, 2008; 8:46 PM ET
Categories:  From the Bunker , Misc. , New Patches Share This:  E-Mail | Technorati | Del.icio.us | Digg | Stumble Previous: Web Fraud 2.0: Faking Your Internet Address
Next: Spamhaus: Microsoft Now 5th Most Spam Friendly ISP

Posted by: tslats | November 21, 2008 9:51 AM | Report abuse

The comments to this entry are closed.