Apple iPhone Four Months Behind OS X in Patches
http://blog.washingtonpost.com/securityfix/2008/07 [2008-7-4]
Tag : Security Fitting
"Apple should either update their software like they do with thecore operating system, or otherwise don't advertise the fact thatthe iPhone checks for updates every week," Miller said. "Right now,an iPhone user is going to think they're up-to-date because there'sno patch available, but the reality is that users are only assecure as they were back in February."
iPhones running the latest software updates from Apple arevulnerable to a critical Safari flaw that Miller exposed in March at the CanSecWest security conference, where he won the $10,000 "Pwn to Own" contest , which challenged researchers to find a previously unknown,remotely exploitable security hole in the Apple MacBook Air .
Apple fixed the Safari bug in mid-April, but Miller says it remainsunpatched in the iPhone, along with pretty much any other fix thatApple made to Safari Webkit or Webcore since late February, when Apple released the 1.1.4 version of theiPhone firmware.
Miller says he recently created a tool to exploit the Safarivulnerability on an iPhone. Using the exploit, an attacker whoconvinces an iPhone user to click on a malicious link could stealthe victim's call records or contacts, send text messages or readthe user's sent and received messages, and make outgoing calls,among other things.
Miller has since detailed this iPhone exploit to HD Moore , who runs the Metasploit Project . In an e-mail to Security Fix, Moore said he hasn't yet added itto Metasploit, but plans to do so soon.
It could well be that Apple has been dragging its feet in patchingiPhone vulnerabilities because it is focusing on rolling outversion 2.0 of the iPhone, which will be released next week .
Speaking of old vulnerabilities hanging around, Rixstep today published a writeup that shows how any user can quickly get any application they wantto run at startup on OS X, even in the most recent, patched versionof Leopard. This is fully exploitable by a user sitting directly infront of the computer, but for remote attackers it's a classic"privilege escalation" vulnerability, in that it generally needs tobe exploited in tandem with a separate security hole in order towork. In any event, the code posted on the Rixstep blog allows anyapplication or user that does not have all-powerful "root"administrative privileges to assume those rights (well, after areboot, anyway).
"Apple should either update their software like they do with thecore operating system, or otherwise don't advertise the fact thatthe iPhone checks for updates every week," Miller said. "Right now,an iPhone user is going to think they're up-to-date because there'sno patch available, but the reality is that users are only assecure as they were back in February."
iPhones running the latest software updates from Apple arevulnerable to a critical Safari flaw that Miller exposed in March at the CanSecWest security conference, where he won the $10,000 "Pwn to Own" contest , which challenged researchers to find a previously unknown,remotely exploitable security hole in the Apple MacBook Air .
Apple fixed the Safari bug in mid-April, but Miller says it remainsunpatched in the iPhone, along with pretty much any other fix thatApple made to Safari Webkit or Webcore since late February, when Apple released the 1.1.4 version of theiPhone firmware.
Miller says he recently created a tool to exploit the Safarivulnerability on an iPhone. Using the exploit, an attacker whoconvinces an iPhone user to click on a malicious link could stealthe victim's call records or contacts, send text messages or readthe user's sent and received messages, and make outgoing calls,among other things.
Miller has since detailed this iPhone exploit to HD Moore , who runs the Metasploit Project . In an e-mail to Security Fix, Moore said he hasn't yet added itto Metasploit, but plans to do so soon.
It could well be that Apple has been dragging its feet in patchingiPhone vulnerabilities because it is focusing on rolling outversion 2.0 of the iPhone, which will be released next week .
Speaking of old vulnerabilities hanging around, Rixstep today published a writeup that shows how any user can quickly get any application they wantto run at startup on OS X, even in the most recent, patched versionof Leopard. This is fully exploitable by a user sitting directly infront of the computer, but for remote attackers it's a classic"privilege escalation" vulnerability, in that it generally needs tobe exploited in tandem with a separate security hole in order towork. In any event, the code posted on the Rixstep blog allows anyapplication or user that does not have all-powerful "root"administrative privileges to assume those rights (well, after areboot, anyway).
Related News »
In Focus »
footwear exports
Last month, European footwear manufacturers proposed extending anti-dumping measures against ..
B2B Keywords:
International market Chinese Importer Wholesale trade Wholesale products World trade Wholesale distributors International trade Foreign trade Wholesale distributor Importers Import export business Sell online Help u sell Global trade How to market a product Online supplier Wholesale product
International market Chinese Importer Wholesale trade Wholesale products World trade Wholesale distributors International trade Foreign trade Wholesale distributor Importers Import export business Sell online Help u sell Global trade How to market a product Online supplier Wholesale product
Feature Products»
Hot Products: A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | 0-9
-
-
About Us -
Links -
Privacy Policy -
Terms of Use -
Site Map -
Contact Us -
Call Center: 0086-95105561 © 2007 Tootoo.com -
