IPhone 3.0 Update Fixes 46 Security Flaws

From PC World: Forty-six security holes have been patched with this week's iPhone 3.0 software download patches, Apple says.

In its iPhone 3.0 update security advisory, Apple describes six flaws in CoreGraphics which have now been fixed. One CoreGraphics flaw meant that viewing a maliciously crafted image could lead to an unexpected application termination or arbitrary code execution. Apple describes another flaw in which "opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution".

The impact of a flaw in Mail is described thus: "Users do not have control over the loading of remote images in HTML messages". This security hole was present because Mail did not provide a preference to turn off the automatic loading of remote images. "Opening an HTML email containing a remote image will automatically request it," explains Apple.

A Safari bug meant that clearing Safari's history via the Settings application did not prevent disclosure of the search history to a person with physical access to the device. The iPhone 3.0 update addresses the issue by removing the search history when Safari's history is cleared via the Settings application. Apple gives credit to Joshua Belsky for reporting this issue.

Other flaws are fixed in Exchange, ImageIO, Unicode, IPSec, MPEG-4 Video Codec, Profiles, Telephony, and a further 20 flaws in WebKit.

View: Article @ Source Site