Weldon did a phenomenal job covering the visible and functional changes in the iPhone/iPod touch 2.2 firmware release. If you are holding off on the update, or just haven’t gotten to it yet, you may want to pencil in some time with iTunes as there are a twelve security fixes in this firmware release, each of which leaves your device and/or data vulnerable to attack.
- CVE-2008-4228 & CVE-2008-4229 & CVE-2008-4230 – Passcode Lock – iPhone provides the ability to make an emergency call when locked. Currently, an emergency call may be placed to any number. A person with physical access to an iPhone may take advantage of this feature to place arbitrary calls which are charged to the iPhone owner. This update addresses the issue by restricting emergency calls to a limited set of phone numbers. Also, a person with physical access to the device had the ability (under certain circumstances) to launch applications without the passcode and if an SMS message arrived while the emergency call screen was visible, the entire SMS message would have been displayed, even if the “Show SMS Preview” preference was set to “OFF”.
- CVE-2008-2327 & CVE-2008-1586 – ImageIO – Viewing a TIFF image that was crafted to take advantage of poorly coded compression libraries could lead to attackers running any code they choose (i.e. arbitrary code execution) on your system or cause system instability/force a reset (Denial of Serivce/DoS)
- CVE-2008-2321 – CoreGraphics – Very similar to the ImageIO problem, this involves attackers using a specially crafted web site to achieve the same results
- CVE-2008-4227 – Networking – Your PPTP VPN connections may not be as strongly encrypted as they should be
- CVE-2008-4211 – Office Viewer – If you view Excel files on your device, you are susceptible to arbitrary code execution or DoS attacks
- CVE-2008-4231 & CVE-2008-4232 & CVE-2008-4233 – Safari – Nasty HTML TABLES (and, when are HTML TABLES not nasty?) and insidious IFRAMEs lead the list of Safari problems, but a particularly tricky bug regarding phone calls you did not deliberately make is now fixed by Apple properly dismissing Safari’s call approval dialogs when an application is being launched via Safari.
- CVE-2008-3644 – WebKit – Even if you were a good web programmer and disabled autocomplete on “sensitive” form fields, Mobile Safari may still have saved that field data in the browser page cache. Individuals with physical access to the device could pretty easily gain access to that information.
Organizations that allow iPhones to be used for business purposes should do their best to ensure all users are upgraded as soon as possible. Individuals should take note of the reduced security posture prior to the 2.2 firmware and make their own risk-based decisions (but upgrading gets you the cool new Street View, so go ahead and upgrade now!).