Did Apple Patch the iPhone Just in Time for BlackHat?
Yesterday, the US Dept. of Homeland Security acknowledged Apple's release of a set of security updates for its new iPhone. As the device's widespread popularity will bring it under much closer scrutiny than for any other smart phone, and also make it the target of attempted attacks, this release marks the first test of Apple's ability to respond to security threats under pressure.
Judging from descriptions on Apple's Web site, the first series of patches addresses a vulnerability that was the subject of a discovery by security researcher Charlie Miller and colleague Jake Honoroff. Apple credited the pair with the discovery of what its security page describes as a heap buffer overflow problem.
"By enticing a user to visit a maliciously crafted web page," reads the Web page, "an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions."
Miller is scheduled to demonstrate how a cross-site security hole can be exploited to extract personally identifiable information from iPhones, at a demonstration at the BlackHat security convention in Las Vegas, late this afternoon local time.
With this first round of updates available publicly through iTunes, it will be interesting to see whether Miller makes the attempt to publicly crack an iPhone with the fixes installed, or whether an attendee prompts him to make the attempt first.
Also on Apple's list are a handful of updates to its Safari Web browser, and underlying WebCore and WebKit libraries, which address a cross-site scripting vulnerability problem. Again, Apple directly credited the discoverers of the problem, which may be a positive step toward engaging the user community toward finding and resolving problems rather than finding and exploiting them.