Apple Pushes Out IPhone Patches Before Black Hat Conference
Apple has released the first iPhone update with fixes for vulnerabilities in Safari, WebCore and WebKit. The update is available through iTunes when the iPhone is connected. Perhaps
not coincidentally, Apple managed to push out this set of patches just before the briefings began at the 2007 Black Hat Conference, taking place Thursday and Friday in Las Vegas, Nevada. The researchers who discovered the flaws in Safari were set to reveal
the details of their finds at the annual hacker conference.
IPhone 1.0.1 doesn???t add any new features, but the update for Safari on the iPhone addresses the serious flaw brought to light shortly after the device was released. The vulnerability gives a website the ability to allow cross-site scripting. By combining a flaw in Safari with HTTP redirection, a malicious site could use JavaScript from one page to modify a redirected page which would allow cookies and pages to be read or arbitrarily modified.
The patch also addresses another issue in Safari which could lead to arbitrary code execution if you visit a maliciously crafted web page.
The WebCore patch fixes an issue very similar to that of Safari which also allows cross-site requests. The vulnerability involves the use of look-alike characters in a URL which could used to trick users into visiting a malicious site where arbitrary code could be executed.
For those with hacked iPhones, the update appears to wipe your mods, but various reports claim that Jailbreak still works. Also, I had no problems using iFuntastic even after applying the update (be sure to grab the latest version though, I can???t vouch for earlier versions).
