Apple releases iPhone 3.0.1 software to fix SMS exploit

Responding to a dangerous security exploit unveiled this week, Apple released an update to its iPhone operating system Friday to patch the security hole.

Firmware 3.0.1 is now available for the iPhone, iPhone 3G and iPhone 3GS through iTunes. The update is around 300MB. There is no indication that there are any new features or fixes other than the text message exploit patch.

Earlier Friday, it was reported that Apple would release a fix for the exploit Saturday, but the iPhone maker beat that deadline Friday afternoon.

Security researcher Charlie Miller, co-author of The Mac Hacker’s Handbook, demonstrated the hack Thursday at the Black Hat 2009 conference in Las Vegas. The attack takes advantage of a vulnerability in the phone’s short messaging service, or SMS, feature, allowing an outside party into the phone’s root access without the owner’s knowledge.

The exploit takes advantage of the fact that SMS can send binary code to a phone. That code is automatically processed without user interaction, and can be compiled from multiple messages, allowing larger programs to be sent to a phone. The exploit supposedly exposes the iPhone completely, giving hackers access to the camera, dialer, messaging and Safari. It occurs regardless of hardware revision or which version of the iPhone OS is running.




The technique involves sending only one unusual text character or else a series of "invisible" messages that confuse the phone and open the door to attack. Because users won't know whose messages to block in advance, there's little iPhone owners can do but to shut off the phone immediately if they suspect they're at risk -- a real problem as the trick could also be used to make an iPhone send more messages of its own.

Written by Slash Lane

Amazon Begins Accepting Pre-Orders for Mac OS X Snow Leopard

Several MacRumors have reported that Amazon has begun takingpre-orders for Apple's forthcoming Mac OS X Snow Leopard. Amazon is currently offering Snow Leopard at Apple's announced price of $29for OS X Leopard users, and the listing notes that while Snow Leopard is slated for a September release, no official release date has been announced.

Amazon has also prominently featured an "Upgrade Path Alert" notifying customers that the upgrade is available only for Intel computers currently running OS X Leopard.

Please note, that only Apple OS X Leopard users are eligible for the Snow Leopard upgrade. Tiger & earlier OS users will need to purchase either versions of the upgraded Mac Box Set. Also, Snow Leopard will only run on intel-based Mac computers.

Amazon has also begun offering pre-orders of OS X Snow Leopard family packs, Mac Box Sets bundling Snow Leopard with iLife '09 and iWork '09, and Snow Leopard Server.

- Mac OS X version 10.6 Snow Leopard ($29.00)
- Mac OS X Snow Leopard Family Pack (5-User) ($49.00)
- Mac Box Set - (with Snow Leopard) ($169.00)
- Mac Box Set Family Pack with Snow Leopard (5-User) ($229.00)
- Mac OS X Server version 10.6 Snow Leopard ($499.00)

Written by Eric Slivka

Apple Unlikely to Directly Enter e-Book Market?

Silicon Alley Insider reportsthat Apple is unlikely to create its own "iTunes for e-books" and will instead rely on third parties to deliver e-book content through the existing App Store. An e-book industry source has reportedly indicated that while Apple had contemplated directly offering e-book content several years ago, the plans were scrapped once the company fully grasped how difficult the industry is to navigate.

- The e-book market is still rather small, and even if Apple's tablet is a huge hit, it'll be hard to make enough revenue selling e-books to make the huge project -- setting up and running an e-book store -- worthwhile.
- Apple's iTunes music, video, and apps stores are designed as break-even businesses to help sell more Apple hardware, like iPhones, iPods, and Macs.
- There's already a ton of e-book vendors in the App Store that could provide a good-enough e-book shopping and reading experience to fulfill the "help sell more Apple hardware" mission. Better ones are showing up all the time.
- E-book stores that use Apple's iTunes e-commerce platform -- or are standalone e-book apps -- generate a very nice 30% revenue cut for Apple. The company probably wouldn't get enough additional revenue selling e-books on its own to be worthwhile.

Speculation regarding Apple's role in e-book offerings for its much-rumored tablet computer was renewed by a recent Financial Timesreport that cited interest in the new device on the part of e-book publishers. Rumors of Apple collecting book manuscripts for publicationsurfaced in mid-2006 as details of what ultimately became the iPod touch were circulating, although no Apple e-book offerings were ever released.

Written by Eric Slivka

Apple to Release Fix for iPhone SMS Vulnerability on Saturday?

According to BBC News, an O2 spokesperson has revealed that Apple will be delivering an update on Saturday to address an iPhone SMS security vulnerability disclosed yesterday at the Black Hat cybersecurity conference in Las Vegas.
An O2 spokesperson said the patch would be available Saturday through iTunes.

"We will be communicating to customers both through the website and proactively," the spokesperson added.

"We always recommend our customers update their iPhone with the latest software and this is no different."

The flaw reportedly affects not only the iPhone but also other phones running Windows Mobile and Google's Android operating system, although the iPhone has gained the most significant publicity regarding the issue due to its high-profile status.

As disclosed by Charlie Miller and Collin Mulliner, the vulnerability lies in the modification of data that accompanies text messages and is not seen by the user. Because most operating systems use similar mechanisms to handle SMS data, the vulnerability affects a range of operating systems and devices.
The approach is particularly dangerous because messages are delivered automatically, and users cannot tell that they have received the malicious code.

The problem could be fixed by directly patching the vulnerability in smartphones' operating systems, or the network providers could scan for messages that look to be trying to gain access to phones via the malicious code.

Google has reportedly already taken steps to address the issue, but there is no word on whether Microsoft or wireless carriers are also working to prevent the vulnerability from compromising their systems.

Written by Eric Slivka