Apple fixes iPhone security flaw

iPhone manufacturer Apple has fixed a security vulnerability in the phone’s software that would allow a hacker to take control of the device through a vulnerability in its SMS capabilities.

The company released the “iPhone OS 3.0.1” patch, which iPhone users can download through iTunes, which was highlighted at the Black Hat security conference in Las Vegas last week.

The two researchers who discovered the flaw, Charlie Miller and Collin Mulliner, gave Apple advanced notice of the flaw before releasing details at the conference so the company could prepare a fix.

The flaw allows a hacker to take complete control of the iPhone via the phone’s text messaging features. Miller and Mulliner demonstrated that an attacker could make calls, send text messages and even erase data from a hacked-in phone.

Apple released a statement about the patch, which said that “a memory corruption issue exists in the decoding of SMS messages”.

“Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Technical University Berlin for reporting this issue.”

But the problems aren’t over for Apple. A poll of 94 security professionals at the Black Hat conference, undertaken by security company nCircle, found that 56% believe the iPhone will be the handset must vulnerable to attacks during 2009.

“Unfortunately, it looks like the security problems with iPhone will continue to grow until Apple makes security a higher priority,” nCircle director of information technology , Andrew Storms, said in a statement.

“If there is a silver lining for iPhone users, it’s that all of the security research attention it is getting could eventually turn the iPhone into one of the most secure mobile platforms.”

Similar vulnerabilities have been found in the Google Android and Microsoft Windows Mobile operating systems. Google has released a fix for the Android vulnerability, while Microsoft currently developing a patch.

COMMENTS