Apple Patches iPhone Security Vulnerability

Following news that Apple's latest firmware update for the iPhone breaks the "jailbreak" software that many users had installed to run third-party applications or use a carrier other than AT&T, nCircle's Andrew Storms said that, with the iPhone SDK on its way, it's best to take advantage of the security patch and sit tight for a few months.
Apple has pushed out its 1.1.2 firmware update for the iPhone and iPod touch, which fixes a bug in rendering TIFF images. The bug has been used by several groups to create software hacks for unlocking the phone and for "jailbreaking" the phone to run third-party applications. It also made the iPhone extremely vulnerable to malicious exploits.
Previous versions of Apple's firmware used a version of the libtiff library that was susceptible to buffer overflow attacks. "By enticing a user to view a maliciously crafted TIFF image, an attacker may cause an unexpected application termination or arbitrary code execution," Apple's update page explained.
While the upgrade fixes a serious security Relevant Products/Services hole, it also breaks the "jailbreak" software many users have installed to run third-party applications or use the phone with a different carrier.
But hackers have already come up with a way around the update. Users can run software called Oktoprep before upgrading to 1.1.2. An outfit called Conceited Software now offers a jailbreak program to keep the phone open for third-party apps.

Hacks Not Worth the Risk

To get the benefits of the 1.1.2 upgrade without losing functionality, users can install Oktoprep on a phone running the 1.1.1 firmware. Once installed, it's safe to upgrade to 1.1.2. But users who have unlocked their devices might wind up with an iBrick if they upgrade without installing the latest hacks.
Apple has announced that it will release a software development kit for the iPhone in February, but until then the company appears locked in a cat and mouse game with the unlockers.
"For the mass majority of consumers, there is no high value to gain in risking another iPhone brick," Andrew Storms, director of security operations for nCircle, said in an e-mail. "With the SDK on its way, it's best to upgrade, take advantage of the security patch, and sit tight for a few months."
Even with the TIFF bug fix, enterprises should remain wary of the iPhone, Storms said. "Until Apple puts forth centralized configuration, compliance, and auditing mechanisms for the iPhone, it will just be a great gadget that every executive wishes their I.T. security staff would endorse," he said.
Besides fixing the TIFF hole, the latest upgrade offers a few new features. They include support for more languages, a battery indicator in iTunes, and a custom option for ringtones.

China Mobile in Talks for iPhone

In other iPhone news, Apple is in preliminary negotiations with China Mobile to sell the iPhone in China, Wang Jianzhou, China Mobile's CEO, announced at an industry conference on Tuesday. "Our customers like this kind of fashionable product," he said.
Another China Mobile executive, Huang Haibo, told Agence France-Press, "Of course, we hope to bring the iPhone to China, but for the time being we're only in preliminary contact with Apple, and we have not made any concrete progress yet."
But Wang also said he finds the revenue-sharing model that Apple has won with carriers in the U.S. and Europe less than fashionable. "We still think we can maintain the operator-centric model because we have the customers, the end users," he said.
China Mobile is the world's largest carrier with 350 million subscribers, so it would be an excellent partner for Apple in China. But, as Wang said, that many subscribers also gives the company substantial bargaining power with Apple.
Apple is expected to launch the iPhone in Asia in 2008 and is in negotiations with several carriers across the region. Apple plans to launch its first Apple Store in China soon.