Apple disclosed Friday that the iPhone 2.0 software, which can be downloaded by users of the previous-generation iPhone, fixes some bugs in the browser and networking software in that earlier device. Some of the browser bugs are serious and could give attackers a way to sneak malicious software onto the iPhone.
The update fixes seven Safari bugs and three flaws in the Web Kit browser engine used by Safari. One of the Web Kit flaws was exploited in March by Independent Security Evaluators Researcher Charlie Miller to hack into a MacBook Air laptop to win a well-publicized hacking contest.
Miller said he'd warned Apple that the iPhone was vulnerable to the same attack, but the company had told him it was not. In an interview via e-mail Friday, he expressed exasperation at seeing that the issue had finally been addressed. In the past he has been critical of Apple for patching bugs in its Mac OS X software while leaving the same issues unpatched in the iPhone, which is also based on OS X.
Friday's update also fixes networking bugs in the Mac OS kernel software and CFNetwork software used by the iPhone.
Although the iPhone has not been the target of any known attacks, the iPhone 2.0 patch is worth downloading, said David Marcus, a security research manager with McAfee. "If you look at what the bad guys are looking at, browsers are certainly high on their list," he said. "It's important that when patches are released, people update as soon as they can."
The iPhone 2.0 software has a few other bells and whistles to encourage the upgrade, such as support for Cisco VPN connections and Microsoft Exchange ActiveSync. It also has better e-mail and contact management features, Apple says.
The update is also intended for iPod Touch users, Apple said. People who buy the iPhone 3G shouldn't need to do anything because the iPhone 2.0 software comes preloaded on that device.
Actually getting the iPhone 2.0 update on Friday was a tricky prospect for some. Apple's iTunes update site was overwhelmed by customers upgrading to iPhone 2.0 and by iPhone 3G buyers activating their new phones.
The company's public relations staff was apparently overwhelmed too. They didn't return calls and e-mails seeking comment for this story.
Apple's last set of security fixes for the iPhone came out Jan. 15.