AAPL Stock: 124.75 ( -1.42 )

Printed from

Analyst: iPhone patching has been botched

updated 04:35 pm EDT, Wed July 16, 2008

Apple slow on iPhone patch

Apple left the iPhone exposed to a serious vulnerability for months despite knowing how to fix it, a security analyst alleges. Charlie Miller of Independent Security Evaluators notes that while the iPhone 2.0 firmware has since fixed the problem, for over three months, the v1.x firmware was vulnerable to the same WebKit exploit used to hack a MacBook Air within two minutes. The feat earned him $10,000 from TippingPoint Technologies.

Miller says that although he attempted to tell Apple about the suspected iPhone vulnerability, the company complained in response as recently as two weeks ago, when he mentioned the flaw to the Washington Post. "They said I should have reported this to Apple security rather than to the Washington Post," according to Miller. "I told them 'I gave you the exploit, what else do you want me to do?'"

Apple is said to have in fact denied the seriousness of the problem in the iPhone OS, labeling it different from the one that affected Mac OS X. The company backed up its statement by saying it had run Miller's exploit without trouble, but Miller claims that Apple neglected to run a final essential line.

Miller also charges that Apple has been slow in coping with iPhone vulnerabilities as rule, given that five of the 13 security holes fixed in iPhone 2.0 were patched for Mac OS X between March and June. ""Not every single Safari bug will also be on the iPhone, but almost every WebKit bug will," he says. "If they're going to patch Mac OS X, I don't see why they can't patch the iPhone at the same time."

by MacNN Staff



  1. robttwo

    Joined: Dec 1969


    damn serious

    Wow, this must have been damn serious, considering the thousands and thousands of iPhone that fell victim to this exploit. Oh wait, does anyone know of any that did? Raise your hands...uh...anyone?

    These "professional exploiters" are just getting boring. Of course, it doesn't benefit Charlie's company at all if he can manufacture a climate where people are super paranoid now does it??


  1. Guest

    Joined: Dec 1969


    Security Concerns

    Sounds like he is blowing his own horn. Does anyone know of any problems with this security problem?

  1. horvatic

    Joined: Dec 1969


    Sensationalism story

    Wow, yet not one iPhone was ever compromised. If Apple thought for a second that this security issue was so damn important and so obvious, they would have made a special patch. I really don't think anyone was in danger and in reality this is one of those sensationalist stories trying to make a mountain out of a mole hill.

  1. G4_Kessel

    Joined: Dec 1969




  1. ViktorCode

    Joined: Dec 1969


    Vulnerable or Exploitable

    Mr Miller suggests that any vulnerability means imminent appearance of exploit for it. Statistics prove him wrong though. Writing an exploit is far more complicated task than just discovering unsafe call in open source code that might lead to, say, buffer overflow. Until you actually write the exploit that will work outside of the lab on broad range of configurations you have nothing substantial to boast about.

    Speaking of boasts, why Mr Miller hasn't demonstrated iPhone he hacked by exploiting this "serious vulnerability"? Maybe because this exploit couldn't do nothing more dangerous than crashing Safari if user visited maliciously crafted web page? Or he failed to do even that?

    What you have to remember is that there are hundreds of open vulnerabilities on any OS. The difference is what actual exploit can do. Say, on Windows machine browser vulnerability could cost you all browser stored passwords while on other systems the result will be quite different. Counting vulnerabilities on different OSes and then bluntly comparing the numbers is the worst security analysis I've seen in IT. Yet, "security experts" have to make money for living somehow...

  1. shigzeo

    Joined: Dec 1969


    theoretical safety

    still it would be nice if apple did work on patching even theoretical exploits soon. i don't care if all it is bad press and yellow journalism, i am tired of hearing about security problems with our secure os and os phone. i want to be safe, not just be theoretically safe

  1. testudo

    Joined: Dec 1969


    Of course

    Leave it to the bashers to complain not about the lack of security patching, but saying "Well, no one was exploited, so it isn't a problem!". You set up a security policy to keep from being exploited, you don't wait until there is actually an exploit and then say "Oh, yeah, we knew about that, I guess we should fix it now".

    Oh, and apparently Apple thought enough to patch it in OS X. Should they not have bothered with that, since no one had an exploit there, either?

    You all would be slamming MS if their policy seemed to be "We'll patch it when an exploit arrives, not just because some doofus says he found an exploit".

  1. jdonahoe

    Joined: Dec 1969


    Apple may have gotten

    Apple may have gotten lucky, for now. As the iPhone becomes more ubiquitous, hackers WILL start trying to mess up the phone and people with all manner of exploits. Apple should be vigilant, if only for appearance.

  1. ophiochos

    Joined: Dec 1969


    shooting the messenger

    if people like this guy were exploiting instead of publicising, SOMEONE would be worse off. Has it occurred to most of these posters that what he says is correct? What if it is? Or are you informed of all the pertinent facts? Quick to judge, aren't we?

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Apple 13-inch MacBook Pro (Early 2015)

Although the new darling of the Apple MacBook line up is the all-new MacBook, Apple has given its popular 13-inch MacBook Pro with Ret ...

Griffin Twenty

A few years ago Griffin launched the original Twenty, a small digital amp that used an AirPort Express to turn any set of passive spea ...

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill th ...


Most Commented