updated 03:50 pm EDT, Wed September 9, 2009
Security issues fixed in latest iPhone firmware
The latest iPhone firmware, announced during Apple's music-themed media event, addresses a variety of security vulnerabilities. Previous releases had allowed unauthorized use of a device after a timeout period configured by an Exchange administrator. The system now disables any "Require Passcode" values greater than the maximum inactivity time lock setting, eliminating the time gap.
Another fix prevents Spotlight from accessing messages in a Mail folder after they have been deleted. The company has corrected a CoreAudio bug that allowed maliciously crafted AAC or MP3 files to execute arbitrary code.
Previous releases also allowed unauthorized users to bypass the passcode on a locked device and gain access to data, while a UIKit bug briefly showed password characters as they were deleted. The v3.1 firmware addresses several WebKit vulnerabilities, ranging from password disclosures to numeric character references.
The firmware update is available for the iPhone or iPod touch and can be downloaded through iTunes. iPhone owners can update for free, while the firmware costs $5 for the Touch.