Apple patches critical flaws in iPhone, iPod Touch

Quashes yet another password-bypass bug

Apple today patched five vulnerabilities in the iPhone's operating system, including one in a password-locking feature that's required attention before.

iPhone OS 3.1.3, the first update since September 2009, addressed five bugs, three of which were tagged with the phrase "arbitrary code execution," Apple-speak for a critical vulnerability. Unlike other software makers, such as Microsoft and Oracle, Apple does not rank flaws with a threat-scoring system.

The vulnerability that stood out to Andrew Storms, director of security operations at nCircle Network Security, was the one in the iPhone's recovery mode, which is used to restore the smartphone when it's completely unresponsive. "A memory corruption issue exists in the handling of a certain USB control message," said Apple's advisory. "A person with physical access to the device could use this to bypass the passcode and access the user's data."

In other words, data on a lost, but locked, iPhone could be accessed by whomever finds it.

Storms pointed out that Apple patched a vulnerability in recovery mode last September when it updated the iPhone OS to 3.1.1. At the time, Apple's description of the flaw was similar to today's copy: "A heap buffer overflow exists in Recovery Mode command parsing. This may allow another person with physical access to the device to bypass the passcode, and access the user's data."

Apple has had problems with the iPhone's password-locking feature in the past. In August 2008, a researcher discovered that Apple had forgotten to patch a bug that let people sidestep locking by simply tapping "Emergency Call" on the password-entry screen, then double-tapping the Home button. The bug had been patched in January 2008, but resurfaced in iPhone 2.0. Apple re-patched it a month later.

The other four holes plugged today aren't much to worry about, said Storms. "The small number is a good sign," he said. "Plus, we're not seeing horrendous WebKit vulnerabilities that could be exploited by getting people to a Web site." WebKit is the open-source browser engine used by Apple to power Safari on the iPhone and iPod Touch.

One of the two WebKit bugs is in how the browser engine deals with HTML 5 external resources, such as images or video files. "The sender of an HTML-formatted e-mail message could use this to determine that the message was read," said Apple's advisory.

"That's a marketing or spammer kind of tool," said Storms, equating it with the practice of inserting images in e-mail to monitor the rate at which victims read the spam.

With the appearance of iPhone 3.1.3 -- and the recent unveiling of Apple's iPad by CEO Steve Jobs -- Storms expects that the next update of the smartphone's firmware won't take place until this summer, when a major upgrade will likely be launched alongside a new iPhone. "We're looking later in the year, I think," he said.

According to Apple, the iPhone 3.1.3 update also improves the accuracy of battery level reporting on the iPhone 3GS and fixes a problem that in some cases prevented third-party apps from launching.

iPhone and iPod Touch owners can wait out the update interval -- iTunes automatically checks Apple's update servers once a week -- or retrieve iPhone 3.1.3 manually by selecting "Check for Update" under the iTunes Help menu and then docking the iPhone to a PC or Macintosh.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, send e-mail to or subscribe to Gregg's RSS feed .

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon