Apple came out Thursday with an iPhone software update that patches 10 security bugs that could enable a hacker to remotely execute malicious code, reveal e-mail credentials, or even make a call without the user's consent. In some cases, however, where the user has tinkered with the guts of the iPhone, the software update has rendered the phone unusable.
The update -- iPhone V1.1.1 -- patches one bug in Bluetooth, two in the device's mail service, and seven in its Safari browser. U.S.-CERT is "strongly encouraging" users to review the advisory and follow best practices in determining what updates should be applied.
The fixes come out amid a lot of brouhaha in the research and hacker communities about software for sale that would enable the smartphone to work on any service provider with a standard GSM SIM card. Just this past Monday, though, Apple warned users that unlocking the programs used to connect the device to cellular networks other than AT&T's causes "irreparable damage." The company also warned that the modifications would probably cause the iPhone to be inoperable when the updates were released.
It's not yet clear what the total effect will be from the fixes on unlocked devices, though reports are surfacing online that the update has disabled at least some unlocked iPhones. It's being reported on Gizmodo that the software update may make unlocked iPhones unusable.
"For those who have 'unlocked' their iPhones, there were stories in the press over the last week that a future update would turn the unlocked iPhones into expensive paperweights," wrote Jim Clausing, a handler with the Internet Storm Center, on its daily blog. "It is unclear at present if this update is the one that does it or not (probably not based on the descriptions of the updates included)."
According to Apple's advisory, the update addresses an input validation flaw in the iPhone's Bluetooth server. An attacker within Bluetooth range may be able to crash the application or remotely run malicious code on the device. The company noted that performing additional validation of SDP packets fixes the bug. Apple is giving credit to Kevin Mahaffey and John Hering of Flexilis Mobile Security for finding and reporting the vulnerability.
The update also fixes two separate bugs in the iPhone's mail service. Because of one flaw, checking e-mail over untrusted networks may lead to information disclosure via a man-in-the-middle attack, according to the advisory. Because of the second mail bug, if a user clicks on a telephone link in an e-mail message, an attacker can cause the device to place a call without user confirmation. Apple explained that the patch fixes the problem by providing a confirmation window before dialing a phone number via a telephone link in mail. The company is crediting Andi Baritchi of McAfee for reporting the dialing issue.
The seven patches for the iPhone's Safari browser fix problems that include the disclosure of URLs, unintended dialing, and several issues with cross-site scripting. It wasn't noted if the bugs in the iPhone version of Safari also would plague Mac and Windows desktop users.