Apple Zaps SMS Vulnerability With 3.0.1 iPhone Firmware

Apple has released a patch on Friday to cater for the now-public SMS exploit that could have allowed hackers to take complete control - at least as a proof of concept - of any iPhone device.

More than 40 million iPhones could have been exposed to this rather serious security vulnerability which was exposed last week by two security specialists - Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Technical University Berlin - at the Black Hat conference in Las Vegas.

The hack - which also affects older iPhone OS editions - would have allowed criminals to make calls and send texts unbeknown to the users as well as downloading confidential data without the user knowledge.

iPhone 3.0.1, otherwise known as CVE-2009-2204, will solve a memory corruption issue that exists in the decoding of SMS messages and is triggered upon receiving a maliciously crafted SMS.

This may lead to an "unexpected service interruption or arbitrary code execution" and this appear to have been solved through "improved error handling" from Apple developers. The latter were apparently aware of it for the last six months.

Other smartphones as well including those on the Android and Windows Mobile platforms are also affected by the same weakness. Google has already released a fix for the Android platform while Microsoft is working on one to be released soon.

Our Comments

Credits to Apple for closing the hack so quickly. But Apple security woes could soon get nastier as a poll of 94 security professionals carried out at the Black Hat conference by security firm nCircle found out that 56 percent of respondents believe the iPhone will be the smartphone "most vulnerable to attacks during 2009".

Related Links

Apple fixes iPhone security flaw

About the security content of iPhone OS 3.0.1

iPhone Firmware 3.0.1 Fixes SMS Exploit

Apple plugs iPhone SMS hole

Apple fixes iPhone text message vulnerability