ZDNetAsia : Printer Friendly - Researcher faults Apple on iPhone security updates

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Asia.
--------------------------------------------------------------

Researcher faults Apple on iPhone security updates

By Robert Vamosi
Monday, July 07 2008 06:35 AM
URL: http://www.zdnetasia.com/news/security/0,39044215,62043498,00.htm

A leading Mac OS X researcher says Apple has not kept the iPhone operating system up to date with patches it has issued for the desktop.

The iPhone runs a stripped-down version of Mac OS 10.5 and automatically checks for security updates. The last update for the phone, 1.1.4, was issued in February.

That means iPhone users are still vulnerable to a flaw discovered by Charlie Miller in March.

During the CanSecWest conference, Miller found and used a buffer overflow in Safari in the Apple WebKit to win a US$10,000 "Pwn to Own" contest. Apple patched Miller's Safari vulnerability for the desktop in April, but so far has not issued a similar patch for the iPhone.

Miller told the Washington Post recently he has an exploit of the flaw that will work on the iPhone.

Meanwhile, ZDNet Asia's sister ZDNet's Ryan Naraine points out that there's another upcoming iPhone exploit expected soon from Aviv Raff.

Speculation within the security community is that Apple is currently focused on the 3G version of the iPhone. Upgrades to current iPhones may be pushed out in advance or concurrent with the July 11 release of iPhone 2.0.

Apple does not respond to requests for comment on its software security policies.

This article was first published as a blog on CNET News.com.