Responding quickly to the SMS-based vulnerability to the iPhone demonstrated this week at the Black Hat conference in Las Vegas and first revealed earlier this month at a conference in Singapore, Apple released version 3.01 firmware for their fleet of mobile devices on Friday.
The vulnerability research, performed by Charlie Miller and Collin Mulliner, demonstrated ways that an attacker could crash the connectivity or telephony subsystems of the iPhone through a series of invalid SMS messages, or even introduce exploit code to the device.
According to the limited information Apple provided about the fix, version 3.01 only addresses the SMS vulnerabilities and it apparently does not include other features or fixes at this time. Specifically, the Apple knowledgebase article says:
“Available for: iPhone OS 1.0 through iPhone OS 3.0 Impact: Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution Description: A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.“
I’ve downloaded the new code via iTunes, finding the updated firmware (for the 3G and 3GS models) weighing in at 297.9 MB. After downloading, the install went smoothly and took about 10 minutes. In a quick scan around the device, I’ve yet to see any changes in the user interface other than an acknowledgment that the update was successful.
Given the potential severity of the SMS vulnerability now that the exploit has been discussed in a public forum, I would advise users and mobile administrators undertake the update as soon as possible. However, I feel that corporate administrators particularly will feel the pain of this update because of the lack of attention Apple has paid toward true enterprise management tools for the device.
While Apple has made some strides toward enterprise friendliness with version 2.0 of their profile tools – allowing administrators to push out certificates, usage policies, and VPN settings – Apple has done nothing to address remote firmware management on a device fleet.
BlackBerry administrators can turn to their BES servers to deploy critical firmware updates. Android and WebOS administrators (however few of those there may be at this time) can expect the carrier to deliver patches (albeit in a staggered and somewhat unpredictable fashion). Windows Mobile and Symbian administrators can turn to third party tools for the same functionality.
But iPhone administrators have to e-mail all their users to tell them to do it themselves – presuming the users have access to iTunes and some decent bandwidth – or run a time-inefficient depot station and demand the users bring the devices in for immediate upgrade. Neither solution is effective for large deployments because neither ensures the work will get done.
Because we haven’t yet seen any in-the-wild attacks on the SMS vulnerabilities, time to patch may not be critically important in this particular instance. But quite possibly in the near future, Apple will find itself facing a critical vulnerability with a zero-day remote exploit in the wild, and it will find its delivery methods failing a most important segment of its customer base.