Apple releases iPhone 3.0.1 software to fix SMS exploit
Responding to a dangerous security exploit unveiled this week, Apple released an update to its iPhone operating system Friday to patch the security hole.
Firmware 3.0.1 is now available for the iPhone, iPhone 3G and iPhone 3GS through iTunes. The update is around 300MB. There is no indication that there are any new features or fixes other than the text message exploit patch.
Earlier Friday, it was reported that Apple would release a fix for the exploit Saturday, but the iPhone maker beat that deadline Friday afternoon.
Security researcher Charlie Miller, co-author of The Mac Hacker?s Handbook, demonstrated the hack Thursday at the Black Hat 2009 conference in Las Vegas. The attack takes advantage of a vulnerability in the phone?s short messaging service, or SMS, feature, allowing an outside party into the phone?s root access without the owner?s knowledge.
The exploit takes advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone. The exploit supposedly exposes the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari. It occurs regardless of hardware revision or which version of the iPhone OS is running.
The technique involves sending only one unusual text character or else a series of "invisible" messages that confuse the phone and open the door to attack. Because users won't know whose messages to block in advance, there's little iPhone owners can do but to shut off the phone immediately if they suspect they're at risk -- a real problem as the trick could also be used to make an iPhone send more messages of its own.
Firmware 3.0.1 is now available for the iPhone, iPhone 3G and iPhone 3GS through iTunes. The update is around 300MB. There is no indication that there are any new features or fixes other than the text message exploit patch.
Earlier Friday, it was reported that Apple would release a fix for the exploit Saturday, but the iPhone maker beat that deadline Friday afternoon.
Security researcher Charlie Miller, co-author of The Mac Hacker?s Handbook, demonstrated the hack Thursday at the Black Hat 2009 conference in Las Vegas. The attack takes advantage of a vulnerability in the phone?s short messaging service, or SMS, feature, allowing an outside party into the phone?s root access without the owner?s knowledge.
The exploit takes advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone. The exploit supposedly exposes the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari. It occurs regardless of hardware revision or which version of the iPhone OS is running.
The technique involves sending only one unusual text character or else a series of "invisible" messages that confuse the phone and open the door to attack. Because users won't know whose messages to block in advance, there's little iPhone owners can do but to shut off the phone immediately if they suspect they're at risk -- a real problem as the trick could also be used to make an iPhone send more messages of its own.
Comments
Pretty sure you mean "Friday", not "Thursday".
downloading it now
Is it snappier?
Mine is only 230 MB.
You win first prize for best complaint - EVER!
Is it snappier?
seems the same, will see. Slacker is working. had some problems with slacker and pandora today with connection timing out. i thought AT&T was cutting me off. 1 week into my billing cycle and i'm up to 428MB of data
>"Apple released an update to its iPhone operating system Thursday"
Pretty sure you mean "Friday", not "Thursday".
Or Saturday, if you're in China, where they're made.
(I'm not sure about Google Android.)
And I didn't get to go to 3.01 for my touch, and I PAID for my update to OS 3.0, so I'm pouting, even if it doesn't do me any good because I don't have SMS! Wah!
So, my download is only..... ZERO!
Wah!
Is it snappier?
Wow. All Snappiness jokes aside, it's significantly faster sync-wise for me.
I haven't used the iPhone itself extensively, since the update yet, but After the Update to 3.0.1, my iPhone backed-up, synced a half dozen purchased apps, photo's, songs, notes, etc. in like 35-40 seconds. The sync bars were screaming. On a 16GB 3GS, with 300MB to spare.
Never ever seen that before.
i have around 23GB of data on mine and usually takes 10 minutes to backup. will see how it goes when i get home
It affects Android as well.
And I didn't get to go to 3.01 for my touch, and I PAID for my update to OS 3.0, so I'm pouting, even if it doesn't do me any good because I don't have SMS! Wah!
So, my download is only..... ZERO!
Wah!
But it seems that Android is fixed--even before Apple did (according to someone posting at MR, anyway). So, everyone but Microsoft has a patch?
As for Touch users... the best feature of a Touch is that it CAN'T get annoying SMS messages from your friends
The exploit also affects Windows Mobile, apparently. As far as I can tell, Microsoft hasn't fixed it--Apple was first. Is that the case?
(I'm not sure about Google Android.)
Apple was notified long before 3.0 came out, and did not issue a patch until over six-weeks later when the OS was released. They did not delay its release to fix this significant flaw, leaving their customers vulnerable for almost two months.
Android had a similar exploit that basically could kick a phone offline indefinitely, which was immediately patched. Microsoft's phone are also affected, but they've only had since Monday (less than a week) to work on it. The WinMo exploit was only found by the guy earlier this week, so they have not had nearly enough time to issue a patch.
Apple, for all their praise and glory, is LAUGHABLE when it comes to security of its products and its customers. It took them 9 months to fix a severe security vulnerability in Java, and that was only because the security researcher released the code to the public. Again, Apple has had ample time to patch a potentially more DANGEROUS flaw in their phones that could give an attacker access to the GPS, knowing exactly where it was in the world. They, once again, only released a patch when the method was known to the public.
Apple sucks at security.
But it seems that Android is fixed--even before Apple did (according to someone posting at MR, anyway). So, everyone but Microsoft has a patch?
Google and Apple have had months of notification before it was discussed publicly. Microsoft's flaw, however, was only discovered this past Monday, meaning they've had less than a week to work on a patch. So in defense of Microsoft, they just haven't had enough time to patch it yet.
Apple on the other hand waited months after knowing about it before they issued a patch, leaving their customers vulnerable. Android was patched much sooner.
"We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit."
Kinda important, no? Charlie Miller is full of crap.
Apple was notified long before 3.0 came out, and did not issue a patch until over six-weeks later when the OS was released. They did not delay its release to fix this significant flaw, leaving their customers vulnerable for almost two months.
This is just not true at all.
They had a month from the time Miller announced it, to the day of the black hat conference where he said he would talk about it whether they fixed it or not. He issued a press release a couple of days ago saying how they were "slow" and they fixed it today.
... Microsoft's phone are also affected, but they've only had since Monday (less than a week) to work on it. The WinMo exploit was only found by the guy earlier this week, so they have not had nearly enough time to issue a patch. ...
This is just misleading. They had a reasonable expectation when this was announced a month ago that the same exploit would also affect them. The fact that a guy only proved this was the case a week ago is irrelevant to the fact that any dimwit could see that the bug was almost certainly going to affect them also. It's Microsoft that sucks at security and always has. They are the only ones to dat the haven't fixed it, even though Miller never even mentions them in his chest pounding press releases.
it's also worth mentioning that the character has no business being sent to a phone in the first place and if blame is to be apportioned, the carrier is probably more at fault than anyone for not filtering it out in the first place.