Apple releases iPhone 3.0.1 software to fix SMS exploit

Posted:
in iPhone edited January 2014
Responding to a dangerous security exploit unveiled this week, Apple released an update to its iPhone operating system Friday to patch the security hole.



Firmware 3.0.1 is now available for the iPhone, iPhone 3G and iPhone 3GS through iTunes. The update is around 300MB. There is no indication that there are any new features or fixes other than the text message exploit patch.



Earlier Friday, it was reported that Apple would release a fix for the exploit Saturday, but the iPhone maker beat that deadline Friday afternoon.



Security researcher Charlie Miller, co-author of The Mac Hacker?s Handbook, demonstrated the hack Thursday at the Black Hat 2009 conference in Las Vegas. The attack takes advantage of a vulnerability in the phone?s short messaging service, or SMS, feature, allowing an outside party into the phone?s root access without the owner?s knowledge.



The exploit takes advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone. The exploit supposedly exposes the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari. It occurs regardless of hardware revision or which version of the iPhone OS is running.







The technique involves sending only one unusual text character or else a series of "invisible" messages that confuse the phone and open the door to attack. Because users won't know whose messages to block in advance, there's little iPhone owners can do but to shut off the phone immediately if they suspect they're at risk -- a real problem as the trick could also be used to make an iPhone send more messages of its own.
«1345

Comments

  • Reply 1 of 91
    ktappektappe Posts: 808member
    >"Apple released an update to its iPhone operating system Thursday"



    Pretty sure you mean "Friday", not "Thursday".
  • Reply 2 of 91
    al_bundyal_bundy Posts: 1,525member
    downloading it now
  • Reply 3 of 91
    teckstudteckstud Posts: 6,476member
    Quote:
    Originally Posted by al_bundy View Post


    downloading it now



    Is it snappier?
  • Reply 4 of 91
    Mine is only 230.1 MB.
  • Reply 5 of 91
    teckstudteckstud Posts: 6,476member
    Quote:
    Originally Posted by DanaCameron View Post


    Mine is only 230 MB.



    You win first prize for best complaint - EVER!
  • Reply 6 of 91
    al_bundyal_bundy Posts: 1,525member
    Quote:
    Originally Posted by teckstud View Post


    Is it snappier?



    seems the same, will see. Slacker is working. had some problems with slacker and pandora today with connection timing out. i thought AT&T was cutting me off. 1 week into my billing cycle and i'm up to 428MB of data
  • Reply 7 of 91
    teckstudteckstud Posts: 6,476member
    Quote:
    Originally Posted by ktappe View Post


    >"Apple released an update to its iPhone operating system Thursday"



    Pretty sure you mean "Friday", not "Thursday".



    Or Saturday, if you're in China, where they're made.
  • Reply 8 of 91
    nagrommenagromme Posts: 2,834member
    The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?



    (I'm not sure about Google Android.)
  • Reply 9 of 91
    gregoriusmgregoriusm Posts: 499member
    It affects Android as well.



    And I didn't get to go to 3.01 for my touch, and I PAID for my update to OS 3.0, so I'm pouting, even if it doesn't do me any good because I don't have SMS! Wah!



    So, my download is only..... ZERO!



    Wah!
  • Reply 10 of 91
    BuffyzDeadBuffyzDead Posts: 350member
    Quote:
    Originally Posted by teckstud View Post


    Is it snappier?



    Wow. All Snappiness jokes aside, it's significantly faster sync-wise for me.



    I haven't used the iPhone itself extensively, since the update yet, but After the Update to 3.0.1, my iPhone backed-up, synced a half dozen purchased apps, photo's, songs, notes, etc. in like 35-40 seconds. The sync bars were screaming. On a 16GB 3GS, with 300MB to spare.



    Never ever seen that before.

  • Reply 11 of 91
    al_bundyal_bundy Posts: 1,525member
    mine seemed to backup faster as well



    i have around 23GB of data on mine and usually takes 10 minutes to backup. will see how it goes when i get home
  • Reply 12 of 91
    nagrommenagromme Posts: 2,834member
    Quote:
    Originally Posted by GregoriusM View Post


    It affects Android as well.



    And I didn't get to go to 3.01 for my touch, and I PAID for my update to OS 3.0, so I'm pouting, even if it doesn't do me any good because I don't have SMS! Wah!



    So, my download is only..... ZERO!



    Wah!



    But it seems that Android is fixed--even before Apple did (according to someone posting at MR, anyway). So, everyone but Microsoft has a patch?



    As for Touch users... the best feature of a Touch is that it CAN'T get annoying SMS messages from your friends
  • Reply 13 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by nagromme View Post


    The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?



    (I'm not sure about Google Android.)



    Apple was notified long before 3.0 came out, and did not issue a patch until over six-weeks later when the OS was released. They did not delay its release to fix this significant flaw, leaving their customers vulnerable for almost two months.



    Android had a similar exploit that basically could kick a phone offline indefinitely, which was immediately patched. Microsoft's phone are also affected, but they've only had since Monday (less than a week) to work on it. The WinMo exploit was only found by the guy earlier this week, so they have not had nearly enough time to issue a patch.



    Apple, for all their praise and glory, is LAUGHABLE when it comes to security of its products and its customers. It took them 9 months to fix a severe security vulnerability in Java, and that was only because the security researcher released the code to the public. Again, Apple has had ample time to patch a potentially more DANGEROUS flaw in their phones that could give an attacker access to the GPS, knowing exactly where it was in the world. They, once again, only released a patch when the method was known to the public.



    Apple sucks at security.
  • Reply 14 of 91
    yuusharoyuusharo Posts: 311member
    Quote:
    Originally Posted by nagromme View Post


    But it seems that Android is fixed--even before Apple did (according to someone posting at MR, anyway). So, everyone but Microsoft has a patch?



    Google and Apple have had months of notification before it was discussed publicly. Microsoft's flaw, however, was only discovered this past Monday, meaning they've had less than a week to work on a patch. So in defense of Microsoft, they just haven't had enough time to patch it yet.



    Apple on the other hand waited months after knowing about it before they issued a patch, leaving their customers vulnerable. Android was patched much sooner.
  • Reply 15 of 91
    gto65lgto65l Posts: 42member
    Have there been any documented instances of this flaw being used maliciously?
  • Reply 16 of 91
    ismofamismofam Posts: 41member
    Is the update "safe" for jailbroken and unlocked i Phones?
  • Reply 17 of 91
    akf2000akf2000 Posts: 223member
    eugh! i'm on 3.1, is there a 3.1.1 beta yet??
  • Reply 18 of 91
    zoolookzoolook Posts: 657member
    AI... you missed this text with the update from Apple:



    "We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit."



    Kinda important, no? Charlie Miller is full of crap.
  • Reply 19 of 91
    blippioblippio Posts: 7member
    anyone know if this update breaks the IPCC tethering hack? \
  • Reply 20 of 91
    virgil-tb2virgil-tb2 Posts: 1,416member
    Quote:
    Originally Posted by yuusharo View Post


    Apple was notified long before 3.0 came out, and did not issue a patch until over six-weeks later when the OS was released. They did not delay its release to fix this significant flaw, leaving their customers vulnerable for almost two months.



    This is just not true at all.



    They had a month from the time Miller announced it, to the day of the black hat conference where he said he would talk about it whether they fixed it or not. He issued a press release a couple of days ago saying how they were "slow" and they fixed it today.



    Quote:
    Originally Posted by yuusharo View Post


    ... Microsoft's phone are also affected, but they've only had since Monday (less than a week) to work on it. The WinMo exploit was only found by the guy earlier this week, so they have not had nearly enough time to issue a patch. ...



    This is just misleading. They had a reasonable expectation when this was announced a month ago that the same exploit would also affect them. The fact that a guy only proved this was the case a week ago is irrelevant to the fact that any dimwit could see that the bug was almost certainly going to affect them also. It's Microsoft that sucks at security and always has. They are the only ones to dat the haven't fixed it, even though Miller never even mentions them in his chest pounding press releases.



    it's also worth mentioning that the character has no business being sent to a phone in the first place and if blame is to be apportioned, the carrier is probably more at fault than anyone for not filtering it out in the first place.
Sign In or Register to comment.