Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

iOS Security Fixes Released for Serious Vulnerabilities

Fixes for two serious holes in iOS are now available in the form of iOS 3.2.2 for iPad and iOS 4.0.2 for 2008 and later models of iPhone and iPod touch. Attach your iOS device (or devices) to the computer with which you sync using iTunes, and use iTunes to download and install the upgrade.

One flaw lies in TrueType handling within Apple's iOS PDF display software. A PDF with fonts crafted in a particular way could allow a malicious party to run any code on an iOS device simply by getting you to view the PDF file. That flaw is paired with a second in IOSurface, a framework for buffering or holding images in memory. The IOSurface flaw allows the code to be executed in a way that gives the attack full system privileges.

At that point, an attacker could enable remote access, copy or delete all your data, or install background monitoring or call-interception software.

The flaws were revealed as part of the first successful iPhone 4 jailbreak in iOS 4, which required only that you visited a particular Web page. The escalation of privileges enabled the jailbreak software to crack Apple's protection against installing software other than that which the company allows.

Apple apparently no longer provides security upgrades for the iPhone 3.1 software branch, which is unfortunate as some iPhone 3G users were forced to revert from iOS 4 to 3.1.3 due to significant performance problems that Apple has said it is investigating.

Even with iOS 4 being a free upgrade, Apple should provide security fixes for known, significant problems in the previous widely used OS release. Further, original iPhone and iPod touch users will likely also be subject to these flaws, and cannot upgrade to iOS 4.


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about iOS Security Fixes Released for Serious Vulnerabilities
(Comments are closed.)

Ian Stavert  2010-08-11 13:58
Yeah I want an security fix for my 3G phone as I am not going to install iOS4 due to the performance crippling issues on the 3 series phones.
A lot more than "some" 3G users are having problems with iOSlow. There have been over 200,000 views of the thread titled "Iphone 3G OS4 problems" on Apple's web site. And another 200,000 views of another thread about the slowdowns caused by iOSlow. Not to mention the hundreds of irate postings on the WSJ article.

Hundreds of thousands of 3G owners are still locked into their multi-year service contracts. By signing the contracts, customers expected their 3G phones to function acceptably for the duration of the plans. Simply buying a new shiny iPhone 4 is not an option.

To rebuild their tarnished iPhone (antennagate) reputation, Apple needs to support all 3G owners by releasing this bug fix for the still-widely-used 3.1.3 release.
Adam Engst  An apple icon for a TidBITS Staffer 2010-08-11 19:49
Yep, we really need to write something about this, but I just haven't had the time to run it down with our older iPhone 3G. We said "some" users have reverted because that's accurate - whether or not a lot of had the problem, reverting isn't easy enough to do that most people would be doing that.
David S.  2010-08-12 15:43
Apple's failure to state whether the issues affect iOS 3.1, and if they do whether they intend to patch that version as well, is inexcusable. Lots of people are stuck on that version - 1G iPhone and iPod touch users, and they deserve to know if they are exposed to this very serious security issue or not.
My son called me just past 5 pm tonight, upset that his 3G iPhone had just locked up, then crashed, as he tried to answer a phone call for a job interview. When he "upgraded" [downgraded] to iOS4, it lost his address book which took a few weeks to reconstruct, since it also trashed the backup. His iPhone is slower, less reliable. However, Apple didn't provide a simple remedy to go back to the previous OS.

Apple really should address these problems since Apple broke his iPhone, not him. 3G and 2G phones aren't that ancient. Serious security flaws must also be addressed, back to the earliest iPhone models, iPod Touch too.

Adam, please look into this issue with older iPhones/iPods and let us know what you find and how to fix the iPhones that Apple broke. Thanks!