Forgot your password?
typodupeerror
Portables (Apple) Cellphones Handhelds Security Hardware

iPhone 3.0 Update Delivers Prodigious Patch Batch 150

Posted by timothy
from the switched-housemate's-iphone-to-danish dept.
CWmike writes "Apple patched 46 security vulnerabilities in the iPhone and iPod Touch, half of them in the Safari browser and its WebKit rendering engine, as it released iPhone OS 3.0 on Wednesday. One of the patched WebKit vulnerabilities stands out because of the attention it received in March, when a German college student, Nils, walked away with a $5,000 cash prize for hacking Safari at the Pwn2Own challenge. Nils used a bug in WebKit's handling of SVGList objects to crack Safari."
This discussion has been archived. No new comments can be posted.

iPhone 3.0 Update Delivers Prodigious Patch Batch

Comments Filter:
  • Does it support copy & paste?
  • I am disappointed! (Score:2, Interesting)

    by hansraj (458504)

    Frankly I don't know what all the hoopla about iPhone OS 3.0 is about. I was hoping to use compass with google map after the update on my iPhone 3G, but all I got was a lousy voice-memo software.

    And before anyone points out that iPhone 3G didn't have compass built into the hardware - It is supposed to be apple! I expect nothing sort of miracles from Steve Jobs!!

    On a serious note, tethering was supposed to be there without the need to jailbreak your phone, but it is not available in US, and it is not availab

    • by alannon (54117) on Thursday June 18, 2009 @04:24PM (#28379935)

      Rogers/Fido in Canada, surprisingly, will allow tethering.

      • Re: (Score:1, Informative)

        by Anonymous Coward
        Correct about Rogers/Fido in canada - just watch your bandwidth usage to avoid $50k bandwidth bill.
      • by Xocet_00 (635069) on Thursday June 18, 2009 @05:29PM (#28380989)
        I found this [rogers.com] earlier today indicating that Rogers will allow anyone with a 1GB or greater data plan to tether. I called them to confirm and I am in fact allowed to consume bandwidth right up to my 6GB cap, same as if I was consuming the bandwidth on the phone itself.

        The really surprising thing is that it's automatic. I didn't have to get them to turn anything on in my account. I simply turned it on in the Network Settings page and was able to tether my Windows 7 laptop and a friends Macbook Pro over both Bluetooth and USB without issues and, even more surprisingly, without iTunes installed (on the Win7 machine).

        Bandwidth was around 3Mbps down and 0.3Mbps up, with a minimum ping of around 150ms, tested on multiple servers using Speedtest.net. This is in the middle of Halifax, NS.
        • "As if I was consuming the bandwidth on the phone itself."

          Have they gotten to the point where they have actually tricked you into thinking there's a difference?

          You ARE consuming the bandwidth on the phone itself.
          The phone happens to be relaying the data to a PC. So what? My old phone and $30 AT&T unlimited plan from over years ago does this (over USB instead of WiFi, but given the choice I'd use USB anyway).

          • by vux984 (928602) on Thursday June 18, 2009 @06:40PM (#28381983)

            Have they gotten to the point where they have actually tricked you into thinking there's a difference?

            There is a difference. Its subtle, but important. But its not a technical difference it has to do with with service levels, over selling, marketing, and pricing. But that doesn't mean its any less "real.

            Essentially, when they give you a 6GB data plan they are overselling their capacity. They know this. I know this. And now you know this. Its not a secret, its not 'teh evil'. If -everyone- used 6GB every month they'd be unable to deliver the service reliably at that price.

            Hi end users are subsidized by low end users. Low end users are happy that they have 6GB and don't have to worry about bandwidth everytime they check their email. The carrier has a good idea what the distribution of users is, and knows that it can offer 6gb for $30 bucks, overselling what they can actually deliver at that price, but secure in the knowledge that the mathematical models of their customer's usage patterns virtually gaurantee they won't have to.

            But that all assumes no tethering. Its a no brainer to sell 'unlimited data' to a blackberry user a couple product cycles back-- the thing only did email really well, and web browsing poorly. Add in tethering, and suddenly a sizeable chunk of customers on unlimited go from 'low/moderate' usage measured in the kilobytes per day to super-users in the 10s of megabytes per day. Someone that historically only checks his email on his device, getting the odd document, or mp3... well now he now downloading his operating system service pack, virus software update, while watching youtube.

            The mathematical model changes. Bottom line: if they allow tethering, consumption goes up sharply for a significant group of consumers. They need to deliver more total bandwidth. That additional capacity costs more to supply and maintain. So they need to charge more for it.

            And so we have 'no tethering' in some areas or 'tethering feature' charges in other areas. As as we move forward, the devices become more powerful, and its actually possible to use significant bandwidth on them, but even now, bandwidth usage per unit for untethered use is an order of magnitude lower than what tethered users use.

            The carriers fear they would be unable to deliver reliable service at that level at that price point with wide spread tethering. So they're beign cautious about it, and looking to tier the service so that people who need it pay for it.

            A final word out to those who despise over-selling and thing the ISP shouldn't do it. Shut the hell up. We, the /. power users, benefit from over selling the most. Its our usage that is subsidized by the low end users. Its because of overselling we can get 6GB for $30 in the first place. If they got rid of overselling the prices we'd pay would shoot sky high, and we'd all pay by the megabyte or some other metering right from the first byte. That would suck.

            That's not saying that ISPs are angelic entities looking out for us, but overselling is good business that generally benefits the consumer with lower prices and services offered in a form that we like (I want a 6GB plan more than a plan that charges me 1$ per MB. Over selling and makes efficient use of the available resource...it a case of the free market actually working.

            • by MobyDisk (75490)

              Bottom line: if they allow tethering, consumption goes up sharply for a significant group of consumers.

              Then just charge people for a tethering plan instead of banning tethering. DUH!

              This is soooooooo lame I can't stand it. If tethering uses more bandwidth, then I'll pay for it. I'm not trying to get something for free! I'm a business user, and it would be a business expense, so that's fine. But instead they ban it entirely - so I have to buy a separate card + a whole separate data plan with a separate bill. That makes no sense.

        • Tethering does not work for me. I get a message to contact Rogers about tethering on my iPhone when I try to enable it in the network settings.

          • Originally I was getting this message as well, which is why I called them in the first place. The techs told me that they were enabling the feature gradually (pushing some sort of update to the phone?) and that it would be available nationwide tomorrow (Friday).
      • Re: (Score:3, Informative)

        by dimeglio (456244)

        They also allow it on the BB storm.

      • by mini me (132455)

        Rogers have allowed tethering up until this point. They are taking it away at the end of year though.

    • by Nixoloco (675549) on Thursday June 18, 2009 @04:27PM (#28379987)

      If you have AT&T in the US, you can enable tethering and MMS without jailbreaking. It is pretty convoluted process, but it works. This isn't Apple's fault though, but AT&T's.
      http://www.krillr.com/blog/3DPQHBZ3/i-have-tethering-and-mms-on-my-iphone-and-yes-im-on-att [krillr.com]
      • Re: (Score:3, Informative)

        Just be careful - actually doing so and getting caught at it is a violation of your TOS.
        • by sexconker (1179573) on Thursday June 18, 2009 @06:06PM (#28381535)

          What are they going to do? Stop taking your money every month?

          • Re: (Score:3, Funny)

            by jo42 (227475)

            They'll use it as an excuse to take even more of your money every month. Don't want that now, do we?

          • No, they'll start charging you for data as though you were on a regular data tariff and not super-unlimited iPhone Special tariff, wait three months as you rack up $6000 in mobile data charges, then sue you for breach of contract.

            You're talking about an entity very good at writing contracts so they hold all of the cards. A "Enabling features not supported by AT&T can result in extra mobile data charges." clause would be very easy to support in court.
            • No it wouldn't.

              I can show that those features ARE supported by AT&T on other phones and to other customers, with no additional charges.

              AT&T has N O T H I N G to do with the enabling of tethering. There is no difference on AT&T's end whether or not my phone is pulling data for itself or is pulling data for a PC. This is a feature of the PHONE.

              AT&T would have to prove that they have any involvement with the feature at all. I could demonstrate in court my phone browsing the web by itself,

    • by jabithew (1340853)

      O2 in the UK allow tethering, for some crazy amount of money extra.

    • If you have a data plan of 1 gig per month or better, tethering data comes out of your regular monthly allowance - no extra charge. I must say that this was a pleasant surprise. The fine print in the agreement is that Rogers / Fido may rethink the current arrangement in the new year after assessing the actual hit to the network that tethering may or may not incur.

      Fingers crossed...

    • Re: (Score:1, Redundant)

      Dude, just jailbreak, already. How can you be a /. member and resist the urge to pwn your phone?

      Jailbreaking doesn't void anything. I bought a 3G 2 weeks before the 'new model' was 'leaked', and broke it within an hour. Then 2 days before my 30 day 'tryout' was over, I backed it all up, restored it to default non-jailbroken firmware, and returned it 'because it sucked'. Then I went back to the store to preorder the day the 3GS was announced.

      My 3GS will be here in a few days, and it gets broken immediately

    • Re: (Score:3, Informative)

      by Henk Poley (308046)

      Go here on your iPhone: http://help.benm.at/ [help.benm.at]

      It will show you how to enable tethering.

    • by scorp1us (235526)

      And before anyone points out that iPhone 3G didn't have compass built into the hardware - It is supposed to be apple! I expect nothing sort of miracles from Steve Jobs!!

      Why not use the difference of GPS coordinates to determine the last direction walked and use that to orient your google maps/compass?

    • by mdwh2 (535323) on Thursday June 18, 2009 @05:59PM (#28381423) Journal

      Phone companies are the scum that are only slightly worse than the music industry.

      Certain companies with certain phones may well be. My phone Just Works on tethering and other things without the need to jailbreak anything :) (I didn't even know it had a special name like "tethering" to be honest - I just thought it was something that worked as standard out of the box with any phone. There's nothing special about my phone, it's just a commonly available cheap bog-standard one.)

    • by PopeRatzo (965947) * on Thursday June 18, 2009 @06:56PM (#28382201) Homepage Journal

      Frankly I don't know what all the hoopla about iPhone OS 3.0 is about.

      With the release of 3.0, Apple has once again revolutionized the entire realm of interpersonal communications using technology and have put the rest of the computer industry on notice that things are transformed forever.

      Their accomplishment?

      Patches.

      I'm telling you, the iPhone is the Chuck Norris of high-tech fashion accessories. Everything that Apple does in regards to the iPhone is "revolutionary", "game-changing", and "transformative".

      Patches...

    • On a serious note, tethering was supposed to be there without the need to jailbreak your phone, but it is not available in US, and it is not available in Germany. Could someone tell me where it is available? Phone companies are the scum that are only slightly worse than the music industry.

      Works in NZ. Very nice via Bluetooth!

    • Tethering is available in the UK, but you have to pay a 'bolt-on' fee [o2.co.uk] which is only a penny cheaper than their most expensive pay monthly (=no contract) USB dongle, even though the monthly contract includes 'unlimited internet'. Nice of them to support their loyal customers like that.
  • by keeegan (1526067) on Thursday June 18, 2009 @04:16PM (#28379813)
    But when are they going to patch these security flaws on my 2.1 ipod? Paying for an update is ridiculous, especially when it fixes critical security flaws. I sure hope apple does the right thing.
    • Re: (Score:3, Informative)

      Paying for an update is ridiculous

      If you feel that strongly about it, go torrent the firmware. Not that hard to do.

      I sure hope apple does the right thing.

      You must be new here.
      • by hitmark (640295)

        or:

        1. install a different firmware, maybe one that can play more formats...

        2. get a different player that either provide firmwares for free, or allow the community to have a hand in the maintenance...

    • Re: (Score:2, Interesting)

      by Hel Toupee (738061)
      I have a first generation iPod Touch. It says on the back of the box that software bugfixes are free for life. I'd post a link to google images, but noone's managed to get a picture of the back of the box, go figure.
      • Re: (Score:1, Troll)

        by njfuzzy (734116)
        It's entirely possible that an updated 2.X version will come out, later, incorporating fixes. Apple often does that with the Mac OS. (I'm not sure why you're expecting backpatches to be instantaneous.)
        • Why is this modded troll? As a first gen ipod touch user, I was thinking the same thing - some sort of 2.2.2 firmware update for the bugs only in a few weeks from now.
      • I have a first generation iPod Touch as well, and I can state for a fact that the box says no such thing.
    • by Anonymous Coward on Thursday June 18, 2009 @05:05PM (#28380627)

      Go ahead and search Google for the following string, it contains the patches you requested: iPod2,1_3.0_7A341_Restore.ipsw

      • Re: (Score:3, Informative)

        by Anonymous Coward

        iPod1,1_3.0_7A341_Restore.ipsw for a first generation

    • by zaajats (904507)

      But when are they going to patch these security flaws on my 2.1 ipod? Paying for an update is ridiculous, especially when it fixes critical security flaws. I sure hope apple does the right thing.

      Sure, paying for a security update alone is a bit strange, but really — it's only $10 and gives you so much more. Besides, it's not like your iPod has been taken over by viruses due to the bugs.

    • Re: (Score:3, Funny)

      by tyrione (134248)
      You must be a Maddog 20/20 kinda guy.
  • Hacking Safari? (Score:3, Informative)

    by Itninja (937614) on Thursday June 18, 2009 @04:21PM (#28379895) Homepage
    Maybe I am missing something, but the article linked in the summary (about Pwn2Own's prize for hacking Safari) appears to be about someone hacking IE, not Safari.
    • by gEvil (beta) (945888) on Thursday June 18, 2009 @04:45PM (#28380335)
      It helps to move on to page 2 of the article.
    • Re:Hacking Safari? (Score:4, Insightful)

      by Em Ellel (523581) on Thursday June 18, 2009 @04:46PM (#28380351)

      Yes, you are missing the part where you should read the article

      From TFA:

      IE8 wasn't the only browser Nils hacked yesterday. After he took down IE8, he moved on to Apple Inc.'s Safari and Mozilla Corp.'s Firefox, both of which he successfully exploited with attack code he had created earlier. His total for the afternoon: $15,000 in cash from TippingPoint, and the Sony laptop

      • by hattig (47930)

        "created earlier"

        That's hardly in the spirit of the competition, in my opinion.

        Anyway, good that Apple has fixed the bugs. Bad that iPod Touch users have to pay to get the bug fixes.

        • Re: (Score:3, Interesting)

          by slyn (1111419)

          Every hack in the competition was created early, and it was allowed within the rules to do so.

          This made all the sensationalist "MAC CRACKED IN SECONDS" news/blogspam all the more annoying, and the _real_ news all the more painful. The real news was that the Safari exploit that the one dude used to win the Macbook Air had been around since the competition the year prior, and that he chose to save his exploit for the next years competition, and it wasn't fixed before he was able to use it for the CanSecWest 1

          • by hattig (47930)

            Oh dear, that's not a very good show, Apple. Then again I've thought their security update policy is quite lacking in urgency, even when they are notified of a hole.

            • Re: (Score:2, Insightful)

              by pv2b (231846)

              To give you an idea about how slow Apple are about patching security holes, and to add another data point to the description:

              I reported the security issue known as CVE-2009-1697 (which is included in this large patch release). The e-mail back from Apple confirming receiving my report of this issue is dated January 7, 2009 in my e-mail inbox. That's about half a year ago.

              Now, granted the security bug I reported is actually very difficult to exploit and do anything actually useful with. Basically, if you used

    • by Ilgaz (86384)

      If people started to use 'Webkit version xxxx.xx' already, it would be better.

      I hate Apple apologizers too but people miss one fact, Safari is a shell for a Webkit with minor changes at Apple's side. Webkit isn't just 'Safari engine' anymore, it is a huge player both in browsers, multiple operating systems and even core renderer of offline/online apps.

      Just on major players scene, Webkit powers Qt 4.x from Trolltech, Google Chrome, Nokia S60/S40 browser (the company sells 10 M phones in weekend) and Adobe Ai

  • I wonder why the iPhone doesn't see more patches and updates. If the iPhone OS is a branch of Mac OS why isn't the phone patches as much as the desktop OS? Do Windows Mobile machines patch every Tuesday? I never updated my CrackBerry. Perhaps Apple doesn't want the iPhone to appear to need patches more often than it's competitors.
    • If the iPhone OS is a branch of Mac OS why isn't the phone patches as much as the desktop OS?

      Probably because its a branch that is stripped down and on which less can be done, producing less opportunity for vulnerabilities.

    • If you think about it, while they don't happen at exactly the same time OS X does see about as many patches issued as the iPhone.

      One thing throwing you off is that the newer Leopard has taken longer to come out with newer iPhone OS versions (like 1.x to 2.x).

      They do, of course, share the same base OS but tend to sort of leapfrog each other a little as to versions of components used.

  • I have an iPod touch, i was wondering if it was worth it to upgrade. I also wonder if these Safari bugs will be fixed in a 2.x update. Sucks to have to pay $10 to be secure.

      Although if i don't, it's easier to pWn and run cydia on it I guess.

    • by grocer (718489)
      Well, it does add copy/paste (finally), landscape keyboard in Notes & Mail, global search, and nifty controls to Podcasts (30 sec skip, 2x/.5x/1x playback, e-mail button)...plus Push for apps to run in the background. I'm satisfied with the upgrade on my 1G...but still annoyed I had to pay all 10 bucks when I don't get bluetooth headphone support (that's 2G only).
    • I have an iPod touch, i was wondering if it was worth it to upgrade.

      Probably for some of the improvements playing media, you should check a number of the lists and see if anything appeals. Also a number of new apps are going to take advantage of 3.0 and you'll quickly find you would like to upgrade.

      I also wonder if these Safari bugs will be fixed in a 2.x update. Sucks to have to pay $10 to be secure

      But that's the beauty of a system where a large majority (80%+) upgrades to new OS. You may have security

  • by ackthpt (218170) on Thursday June 18, 2009 @04:35PM (#28380175) Homepage Journal

    GoPhone subscribers warned the upgrade will be the end of the service. [mobiletechreview.com]

    AT&T Narrows Prepaid Plan Options [pcworld.com]

    "AT&T currently offers two types of prepaid plans: GoPhone, its "pay as you go" plan, and Pick Your Plan, its "prepay once a month" plan. AT&T's statement says that GoPhone will not be available for either original iPhones or iPhone 3Gs; Pick Your Plan will only continue to work for existing subscribers using the original iPhone, as long as they have an unlimited data plan. Current Pick Your Plan users who don't have an unlimited data plan will be asked to add one. iPhone 3G users are not eligible for Pick Your Plan.

    According to Erica Sadun at TUAW, who's been investigating this issue, all pay-as-you-go users are being strongly encouraged to sign up for a postpaid plan, which includes making a new two-year commitment."

    Looks like I'll be waiting a year for the Apple/AT&T agreement to time-out. I'll not do a two year agreement again, ever.

    • AT&T actually discontinued its unlimited prepaid data plan in general back in November. I still have it, because I'm grandfathered in, but my understanding is that there's no new ones.

      Still... half my reason for keeping it around has been in case the iPhone became more appealing to me. If they drop prepaid data for the iPhone, I think I'm done with them. I'd guess you can still make it work by unlocking, but if I'm going to have to unlock, there's nothing so compelling about their service that would kee

    • by garote (682822)

      "AT&T currently offers two types of prepaid plans: GoPhone, its "pay as you go" plan, and Pick Your Plan, ... "

      I swear, I misread that as "Pick Your Pain", and did not even pause...

  • my iTunes isn't seeing any update from the original 3.0 upgrade yesterday.

    • I think they actually mean the 3.0 upgrade. Of course, this is slashdot and I wouldn't expect any news about actual features...just security patches.
  • " Nils, walked away with a $5,000 cash prize for hacking Safari at the Pwn2Own challenge."

    .

    In other news, for at least 3 months, hackers exploiting Nils technique walked away with a few hundred thousand via identity theft, atm fraud, password access, etc...

Pause for storage relocation.

Working...