Apple leaves iPad vulnerable after monster iPhone patch job
Monday's iOS 4 patches record 65 bugs; iPad won't get fixes until the fall
Computerworld - As part of Monday's iOS 4 upgrade, Apple patched a record 65 vulnerabilities in the iPhone, more than half of them critical.
Apple released iOS 4 for the iPhone 3G and 3GS, and the second- and third-generation iPod Touch on Monday shortly after 1 p.m. Eastern time, 10 a.m. Pacific time.
However, the first-generation iPhone and iPod Touch, as well as the much newer iPad, may be vulnerable to some or all of the 65 bugs. The new iOS 4 operating system, which launched yesterday, can't be installed on 2007's iPhone and iPod Touch, and the upgrade is not slated to reach iPad owners until this fall.
The bug count is a record for Apple's iPhone, surpassing the previous high mark of 46 vulnerabilities patched last summer with iPhone OS 3.0.
Formerly known as iPhone OS 4, iOS 4 included patches for 35 bugs, or 54% of the total, that were tagged with the phrase "arbitrary code execution," which is Apple's way of saying the vulnerability is critical and could be used to hijack an iPhone or an iPod Touch. Unlike other software makers, such as Microsoft, Apple does not rank flaws with a threat-scoring system.
Most of the patched vulnerabilities were in WebKit, the open-source browser engine that powers Safari on Apple's mobile devices, as well as Safari for Mac OS X and Windows, and Google's Chrome browser.
Among the 50 WebKit vulnerabilities addressed in iOS 4 was the one used by the two-man team of Vincenzo Iozzo and Ralf-Philipp Weinmann to hack an Apple iPhone 3GS in five minutes at the Pwn2Own contest in March. TippingPoint's 's Zero Day Initiative (ZDI) bug-bounty program paid the two researchers $15,000 -- a record amount for the four-year-old Pwn2Own contest -- for the Safari bug and exploit they used to break into the iPhone.
Apple had patched the same bug in the desktop edition of Safari on June 7, when it rolled out a record-setting 48-patch update as part of Safari 5.
The 15 non-WebKit patches included a pair that addressed glitches in the password-locking feature of the iPhone and the iPod Touch.
Apple has had problems with the iPhone's password-locking feature in the past. In August 2008, a researcher discovered that Apple had forgotten to patch a bug that let people sidestep locking by simply tapping "Emergency Call" on the password-entry screen and then double-tapping the Home button. The bug had been patched in January 2008, but it resurfaced in iPhone 2.0. Apple repatched it a month later.
In February 2010, the last time before Monday that Apple updated the iPhone's firmware, the company fixed another passcode flaw, which could be used to bypass the security feature when a user was restoring an unresponsive smartphone.
It's unclear how many, if any, of the vulnerabilities patched this week affect Apple's iPad. Although the iPad isn't slated to receive the iOS 4 update until sometime this fall, the media tablet runs an interim version of the operating system, dubbed iPhone 3.2, that followed the February iPhone 3.1.3 security update. It's possible that some of the bugs patched Monday were fixed by Apple before it launched the iPad in early April.
But according to the CVE (Common Vulnerabilities & Exposures) database, it's likely that many of the flaws fixed yesterday still exist in the iPad's iPhone 3.2 operating system.
Searches of the vulnerability identifiers listed in Monday's security advisory revealed that eight of the 15 non-WebKit bugs were added to the CVE database in early May, a full month after the iPad's debut. Five others were patched by Apple in Safari and Mac OS X updates issued in late March, just days before the iPad went on sale.
Owners of iPhones and iPod Touches can wait out the update interval -- iTunes automatically checks Apple's update servers once a week -- or retrieve iOS 4 manually by selecting "Check for Update" under iTunes 9.2's Help menu and then docking the iPhone or iPod Touch to a PC or Macintosh.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Apple's iOS 4
- Facebook blocks access to hidden iPad app
- LTE iPhone unlikely this year, says analyst
- Apple slams Amazon's Android e-store as 'inferior'
- Apple iOS: Why it's the most secure OS, period
- Apple launches iWork productivity apps for iPhone
- Analysts split on iPhone over-the-air-update buzz
- Apple's iOS 4.3 a welcome update for iPad, iPhone
- iOS 4.3 boosts first-gen iPad browser speed by 18%
- Update: Apple jumps gun, delivers early iOS 4.3 update for AT&T iPhone, iPad
- iPhone dev knocks Apple over vague new sub rules
Read more about Macintosh in Computerworld's Macintosh Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Best Practices in BYOD: BlackBerry Enterprise Service 10 Manageability, security and support - these are just a few of the reasons BlackBerry® Enterprise Service 10 is such a powerful Enterprise Mobility...
- How to Migrate from BlackBerry Enterprise Server v4.0 or v5.0 to BlackBerry Enterprise Service 10 With BlackBerry® Enterprise Service 10, you can manage your entire mobile fleet through a single, unified interface. Find out how to make the...
- Choosing an MDM Platform: Where to Start the Conversation If you're in the early stages of choosing an MDM solution, or you're considering switching vendors, here are seven critical questions to ask...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Macintosh White Papers | Webcasts