blob: 924f76bbb036b602012632f0dc23543180a223e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
Apple has released the first iPhone update with fixes for [vulnerabilities in Safari][2], WebCore and WebKit. The update is available through iTunes when the iPhone is connected.
IPhone 1.0.1 doesn't add any new features but the update for Safari 3 on the iPhone addresses the serious flaw brought to light shortly after the iPhone was released. The vulnerability gives a website the ability to allow cross-site scripting.
By combining a flaw in Safari with HTTP redirection malicious site could use JavaScript from one page to modify a redirected page which would allow cookies and pages to be read or arbitrarily modified.
The patch also addresses another issue in Safari which could lead to arbitrary code execution if you visit a maliciously crafted web page.
The WebCore fix is for an issue very similar to that of Safari and also allows cross-site requests. The WebKit patch address a vulnerability involving look-alike characters in a URL which could used to trick users into visiting a malicious site which could then be used to execute arbitrary code.
The researchers who discovered the flaws in Safari were set to reveal the details at the annual Black Hat Conference later this week. Fortunately for users, Apple managed to push out this set of patches before that happened.
For those with hacked iPhones, the update appears to wipe your mods, but various reports claim that Jailbreak still works and I had no problems using iFuntastic even after applying the update (be sure to [grab the latest version][1] though, I can't vouch for earlier versions).
[1]: http://iphonealley.com/downloads/applications/ifuntastic-version-2-1-0-b001
[2]: http://blog.wired.com/monkeybites/2007/07/iphone-flaw-all.html
|
