informa
Commentary

iPhone 3.0 Software Sports Snazzy New Features, Sure: It Also plugs a Whopping 46 Security Flaws

The nearly four dozen security holes filled in the iPhone 3.0 software published by Apple yesterday have gone nearly ignored with all of the buzz surrounding the new features. But these flaws aren't anything you want to put on hold.
The nearly four dozen security holes filled in the iPhone 3.0 software published by Apple yesterday have gone nearly ignored with all of the buzz surrounding the new features. But these flaws aren't anything you want to put on hold.Check it out: 46 vulnerabilities in all. Some of these security flaws are almost a year old, such as CVE-2008-2320.

Many of these flaws, including CVE-2008-3623, CVE-2009-0145, CVE-2009-0146, CVE-2009-0147, CVE-2009-0165, CVE-2009-0155, CVE-2009-1179, CVE-2009-0946, CVE-2009-0040, CVE-2008-3281, CVE-2008-3529, CVE-2008-4409, CVE-2008-4225, CVE-2008-4226, CVE-2008-2320, CVE-2009-0945, CVE-2009-1686, CVE-2009-1687, CVE-2009-1690, CVE-2009-1698, and CVE-2009-1701 -- can all lead to "arbitrary code execution" -- which, in security speak, means "the attacker can run whatever code they please on your device."

Many of the flaws involve WebKit, CoreGraphics, and Safari. Complete details are available on Apple's support page.

I enjoy my iPhone -- but with this many software vulnerabilities being dumped all at the same time, and most likely timed with the 3.0 release to avoid much scrutiny -- I wouldn't sanction these devices for corporate use.

To make matters worse, it seems those running the iPod touch software have to pay $10 for the upgrade -- which means if they use their iPod touch to check e-mail or surf the Web -- they're vulnerable to all of these flaws. One shouldn't have to pay to have to security-related software defects fixed.

An e-mail to Apple asking whether iPod users can get the security update -- without having to pay for the privilege -- when unanswered by Apple PR.

Recommended Reading: