Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Latest News
    • Reviews

    SMS Fix for iPhone Available, Needs to Be Deployed Before Attacks Surface

    By
    Andrew Garcia
    -
    July 31, 2009
    Share
    Facebook
    Twitter
    Linkedin

      Responding quickly to the SMS-based vulnerability to the iPhone demonstrated this week at the Black Hat conference in Las Vegas and first revealed earlier this month at a conference in Singapore, Apple released version 3.01 firmware for their fleet of mobile devices on Friday.

      The vulnerability research, performed by Charlie Miller and Collin Mulliner, demonstrated ways that an attacker could crash the connectivity or telephony subsystems of the iPhone through a series of invalid SMS messages, or even introduce exploit code to the device.

      IMG_0019.PNG

      According to the limited information Apple provided about the fix, version 3.01 only addresses the SMS vulnerabilities and it apparently does not include other features or fixes at this time. Specifically, the Apple knowledgebase article says:

      “Available for: iPhone OS 1.0 through iPhone OS 3.0 Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.“

      I’ve downloaded the new code via iTunes, finding the updated firmware (for the 3G and 3GS models) weighing in at 297.9 MB. After downloading, the install went smoothly and took about 10 minutes. In a quick scan around the device, I’ve yet to see any changes in the user interface other than an acknowledgment that the update was successful.

      Given the potential severity of the SMS vulnerability now that the exploit has been discussed in a public forum, I would advise users and mobile administrators undertake the update as soon as possible. However, I feel that corporate administrators particularly will feel the pain of this update because of the lack of attention Apple has paid toward true enterprise management tools for the device.

      While Apple has made some strides toward enterprise friendliness with version 2.0 of their profile tools – allowing administrators to push out certificates, usage policies, and VPN settings – Apple has done nothing to address remote firmware management on a device fleet.

      BlackBerry administrators can turn to their BES servers to deploy critical firmware updates. Android and WebOS administrators (however few of those there may be at this time) can expect the carrier to deliver patches (albeit in a staggered and somewhat unpredictable fashion). Windows Mobile and Symbian administrators can turn to third party tools for the same functionality.

      But iPhone administrators have to e-mail all their users to tell them to do it themselves – presuming the users have access to iTunes and some decent bandwidth – or run a time-inefficient depot station and demand the users bring the devices in for immediate upgrade. Neither solution is effective for large deployments because neither ensures the work will get done.

      Because we haven’t yet seen any in-the-wild attacks on the SMS vulnerabilities, time to patch may not be critically important in this particular instance. But quite possibly in the near future, Apple will find itself facing a critical vulnerability with a zero-day remote exploit in the wild, and it will find its delivery methods failing a most important segment of its customer base.

      Andrew Garcia
      Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×