Apple patches months-old iPhone, iPod touch bugs

Apple patched 13 vulnerabilities in the iPhone and iPod touch last Friday, including several it had fixed in Mac OS X or the Safari Web browser as long ago as March.

Six of the 13 bugs were tagged with the phrase "arbitrary code execution," which Apple uses to denote the most serious vulnerabilities. Other operating system vendors, such as Microsoft, typically label such flaws "critical" in their threat rating systems.

All but two of the bugs affected Safari or WebKit, the open-source code that provides Safari's core engine.

Several of the Safari and WebKit patches for the iPhone and iPod touch had been released by Apple earlier -- sometimes months earlier -- comparisons with previous security advisories and searches on the CVE (Common Vulnerabilities and Exposures) database indicated. According to Computerworld's analysis, five of the 13 iPhone/iPod touch fixes were for vulnerabilities previously patched in Mac OS X or Safari in between March and June.

That lag caught the attention of one security professional, who criticized Apple's inability to update Safari across its product lines. "Putting out a security update on the same day that it launched [iPhone 2.0] shows that they knew they were already behind," said Andrew Storms, director of security operations at nCircle Network Security Inc. "Charlie Miller beat the drum on this, asking if anyone realized that there were a number of unpatched vulnerabilities on the iPhone. A lot of people hadn't thought of that because we were looking forward to iPhone 2.0.

"But Apple put us in a situation of being vulnerable," he said.

Other vulnerabilities patched by Apple on Friday had been addressed by other vendors months, or in one case, years, before. A Safari cross-site scripting vulnerability patched Friday, for example, had been fixed in early June 2006 -- more than two years ago -- by Mozilla Corp. in an update to its then-current Firefox 1.5 browser.

Storms blasted Apple's patching practice, saying that the reality didn't match the company's talk. "They're the ones telling us that they're working toward a unified platform," said Storms. But based on the slow patching for the iPhone's vulnerabilities, he questioned whether that's true. "We've been working on the supposition that the iPhone firmware is OS X-based, and same-code based. If that's the case, Apple should be able to update one, and easily update other [versions] of Safari.

"Either [the iPhone and Mac operating systems] are not the same code base or their business groups can't coordinate releases," he argued.

At least one of the just-patched vulnerabilities has had an available exploit since February. Tagged with the CVE identifier 2008-0177, the flaw, which was fixed in late May by Apple as part of a massive 40-patch update to Mac OS X, was pinned with an exploit as early as Feb. 24.

iPhone and iPod touch owners can obtain the security patches by downloading and installing the 2.0 firmware, which is available via Apple's iTunes.