February 03, 2010, 12:12 PM — Apple today patched five vulnerabilities in the iPhone's operating system, including one in a password-locking feature that's required attention before.
iPhone OS 3.1.3 , the first update since September 2009, addressed five bugs, three of which were tagged with the phrase "arbitrary code execution," Apple-speak for a critical vulnerability. Unlike other software makers, such as Microsoft and Oracle, Apple does not rank flaws with a threat-scoring system.
The vulnerability that stood out to Andrew Storms, director of security operations at nCircle Network Security, was the one in the iPhone's recovery mode, which is used to restore the smartphone when it's completely unresponsive. "A memory corruption issue exists in the handling of a certain USB control message," said Apple 's advisory. "A person with physical access to the device could use this to bypass the passcode and access the user's data."
In other words, data on a lost, but locked, iPhone could be accessed by whomever finds it.
Storms pointed out that Apple patched a vulnerability in recovery mode last September when it updated the iPhone OS to 3.1.1 . At the time, Apple's description of the flaw was similar to today's copy: "A heap buffer overflow exists in Recovery Mode command parsing. This may allow another person with physical access to the device to bypass the passcode, and access the user's data."
Apple has had problems with the iPhone's password-locking feature in the past. In August 2008, a researcher discovered that Apple had forgotten to patch a bug that let people sidestep locking by simply tapping "Emergency Call" on the password-entry screen, then double-tapping the Home button. The bug had been patched in January 2008, but resurfaced in iPhone 2.0. Apple re-patched it a month later.
The other four holes plugged today aren't much to worry about, said Storms. "The small number is a good sign," he said. "Plus, we're not seeing horrendous WebKit vulnerabilities that could be exploited by getting people to a Web site." WebKit is the open-source browser engine used by Apple to power Safari on the iPhone and iPod Touch.
One of the two WebKit bugs is in how the browser engine deals with HTML 5 external resources, such as images or video files. "The sender of an HTML-formatted e-mail message could use this to determine that the message was read," said Apple's advisory.
"That's a marketing or spammer kind of tool," said Storms, equating it with the practice of inserting images in e-mail to monitor the rate at which victims read the spam.