iPhonefreak width="190"

iPhone fan boys, go ahead and connect your iPhone to iTunes now! An iPhone firmware update was released by your favorite fruit company. But before you get too excited here, I must tell you that the firmware update v1.0.1 solves only Safari security issues. Good thing though, your entire life is in this precious little device.

Is this the iPhone software update we talked about earlier today? I don’t think so…I mean I hope not!

Here’s an extract of Apple release notes:

Impact: Visiting a malicious website may allow cross-site scripting

Description:
Safari’s security model prevents JavaScript in remote web pages from
modifying pages outside of their domain. A race condition in page
updating combined with HTTP redirection may allow JavaScript from one
page to modify a redirected page. This could allow cookies and pages to
be read or arbitrarily modified. This update addresses the issue by
correcting access control to window properties. Credit to Lawrence Lai,
Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this
issue.

Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

Description:
Heap buffer overflows exist in the Perl Compatible Regular Expressions
(PCRE) library used by the JavaScript engine in Safari. By enticing a
user to visit a maliciously crafted web page, an attacker may trigger
the issue, which may lead to arbitrary code execution. This update
addresses the issue by performing additional validation of JavaScript
regular expressions. Credit to Charlie Miller and Jake Honoroff of
Independent Security Evaluators for reporting these issues.

Impact: Visiting a malicious website may allow cross-site requests

Description:
An HTTP injection issue exists in XMLHttpRequest when serializing
headers into an HTTP request. By enticing a user to visit a maliciously
crafted web page, an attacker could trigger a cross-site scripting
issue. This update addresses the issue by performing additional
validation of header parameters. Credit to Richard Moore of Westpoint
Ltd. for reporting this issue.

Impact: Look-alike characters in a URL could be used to masquerade a website

Description:
The International Domain Name (IDN) support and Unicode fonts embedded
in Safari could be used to create a URL which contains look-alike
characters. These could be used in a malicious web site to direct the
user to a spoofed site that visually appears to be a legitimate domain.
This update addresses the issue by through an improved domain name
validity check.

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description:
An invalid type conversion when rendering frame sets could lead to
memory corruption. Visiting a maliciously crafted web page may lead to
an unexpected application termination or arbitrary code execution.
Credit to Rhys Kidd of Westnet for reporting this issue.

Hackers down at HackintOsh are drilling down the OS file downloaded from Apple’s website last weekend to find any piece of useful information. A forum user named erhnam found images with the following names:

Default_CARRIER_ATT.png
Default_CARRIER_CINGULAR.png
Default_CARRIER_TMOBILE.png
Default_CARRIER_VODAFONE.png

This is certainly not a confirmation that T-Mobile would be the iPhone exclusive partner in Germany and that Vodafone would be for much of Europe. But it probably confirms that Apple had these partners in mind for a long time and that they have been having very close discussions on iPhone release plans for Europe.

Via Engadget