apple
Report a problem

Apple releases iPhone firmware 3.0.1, fixes SMS flaw

Andrew Lyle   on 31 July 2009 - 18:29 · 53 comments & 20119 views

Advertisement (Why?)
Apple has responded to the security alert reported yesterday about the iPhone being vulnerable by SMS, where a hacker could lock up your iPhone, rending it useless, or even take control over it remotely.

Apple has released a patch for the SMS vulnerability, available immediately on iTunes. The firmware update, labeled as 3.0.1, contains only an update for the SMS attack. In the description of the update on Apple.com describes the update as:

A memory corruption issue exists in the decoding of SMS messages. Receiving a maliciously crafted SMS message may lead to an unexpected service interruption or arbitrary code execution. This update addresses the issue through improved error handling. Credit to Charlie Miller of Independent Security Evaluators, and Collin Mulliner of Fraunhofer SIT for reporting this issue.

The update is available for all iPhone users, including first generation, iPhone 3G and iPhone 3GS.


Share this Article

  • Technorati
  • Magnolia
  • Stumble upon it
  • Reddit
  • Blink List
  • Delicious
  • Slashdot
  • Furl
  • Facebook
  • Windows Live
  • Google
  • Newsvine
  • Yahoo
  • RawSugar
  • Netvouz

About the Author

Full name: Andrew Lyle
User name: Andrew Lyle
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

 

Post a comment · Send to friend Comments · There are 53 additional comments
(3 replies) #1 +warwagon on 31 Jul 2009 - 18:34
yay
#1.1 Andrew Lyle on 31 Jul 2009 - 18:34
Yup

Just a warning to all, this will undo and erase all jailbroken applications!
#1.2 +dave164 on 31 Jul 2009 - 18:42
Andrew Lyle said,
Yup

Just a warning to all, this will undo and erase all jailbroken applications!



boooo
#1.3 +TCLN Ryster on 31 Jul 2009 - 20:13
Thats the risk you take by breaking the license terms of the iPhone OS by jailbreaking it, you've gotta wait for a new version of your quick pwn software, or whatever it's called.
(4 replies) #2 bbfc_uk on 31 Jul 2009 - 18:41
230.1 MB - not really a patch!
#2.1 +littleneutrino on 31 Jul 2009 - 18:55
bbfc_uk said,
230.1 MB - not really a patch!

The reason it is that size is because they never actually just change files with the update its a Firmware update with means they replace the whole Image of the OS on the system where as a patch for a program can only be the required files a firmware is a solid chunk that needs replacing.
#2.2 bbfc_uk on 31 Jul 2009 - 19:03
I know, but its just that one issue it resolves. Surely they can just 'patch' it.
#2.3 Nicholas-c on 31 Jul 2009 - 19:08
Apple dont support alpha patching or whatever its called (replacing certain files) Whole thing or nothing.
#2.4 +TCLN Ryster on 31 Jul 2009 - 20:14
Nicholas-c said,
Apple dont support alpha patching or whatever its called (replacing certain files) Whole thing or nothing.

Close I think it's called Delta Patching. You were on the right lines with the Greek alphabet though hehe
#3 BGM on 31 Jul 2009 - 18:48
excellent stuff, can't wait for my iPhone! :o
(3 replies) #4 Chasethebase on 31 Jul 2009 - 18:49
Also note: iPod Touch users, this update does not apply, iTunes will not attempt to download it for you and will say that 3.0 is the current version.

Might want to add that into the article.
#4.1 roadwarrior on 31 Jul 2009 - 19:14
Why would it apply to the Touch? The Touch doesn't have SMS, so the flaw doesn't affect it.
#4.2 Phemo on 31 Jul 2009 - 19:21
Well that kind of makes sense as an iPod Touch can't do SMS. Anyone who reads the article and sees it's a fix for SMS should automatically know it can't apply to the Touch.
#4.3 WA7ER on 01 Aug 2009 - 17:58
You'd be surprised...
(4 replies) #5 kizuran on 31 Jul 2009 - 18:51
I wonder how Apple compensated C. Miller & C. Colliner for their research.
#5.1 Pc_Madness on 31 Jul 2009 - 19:26
kizuran said,
I wonder how Apple compensated C. Miller & C. Colliner for their research.


Err, are you suggesting that companies have to pay researchers for them finding exploits?
#5.2 GreyWolfSC on 31 Jul 2009 - 19:40
Pc_Madness said,
Err, are you suggesting that companies have to pay researchers for them finding exploits?


Pay, no, but some sort of token, like a gift card or something wouldn't be bad for PR.

The timeliness of the fix and official credit to those that discovered the flaw is definitely a good thing.
#5.3 +shinji257 on 31 Jul 2009 - 19:44
GreyWolfSC said,
Pay, no, but some sort of token, like a gift card or something wouldn't be bad for PR.

The timeliness of the fix and official credit to those that discovered the flaw is definitely a good thing.


Yea... This could of been a very serious issue but it was brought up to Apple's attention and allowed the to fix it.
#5.4 +TCLN Ryster on 31 Jul 2009 - 20:15
GreyWolfSC said,
Pay, no, but some sort of token, like a gift card or something wouldn't be bad for PR.

The timeliness of the fix and official credit to those that discovered the flaw is definitely a good thing.

When have Apple ever been worried about getting bad (or good for that matter) PR?
(5 replies) #6 Deihmos on 31 Jul 2009 - 18:51
230MB and they call that a patch? i guess the Iphone is just as lame as Itunes where you have to download 80Mb everytime a simple update is released. Doesn't the Iphone receive updated over the air? I still don't understand what anyone sees in this lame device that requires that slow program itunes.
#6.1 bbfc_uk on 31 Jul 2009 - 19:01
Well don't buy one then. Some of us like the iPhone and I personally don't have any problems with iTunes.
#6.2 roadwarrior on 31 Jul 2009 - 19:18
No, the iPhone doesn't get updates over the air. Neither does Windows Mobile, for that matter. WinMo has an update app, so I guess the capability is there, but I've never once seen an update released that used it.

FWIW, about your complaint about updating iTunes, MOST software that I've ever downloaded required you to download a full installer for each new update, I really don't know of much that doesn't.
#6.3 Gabe3 on 31 Jul 2009 - 19:35
Deihmos said,
230MB and they call that a patch? i guess the Iphone is just as lame as Itunes where you have to download 80Mb everytime a simple update is released. Doesn't the Iphone receive updated over the air? I still don't understand what anyone sees in this lame device that requires that slow program itunes.

230MB is the size of the whole firmware, its an updated firmware, not a patch. "they" as in neowin calls it a patch, but its a whole OS with a new fix in it.
#6.4 Deihmos on 31 Jul 2009 - 19:36
I have used Napster and Rhapsody and simple updates didn't require me downloading the 12MB again. Why is Itunes 80MB? For some reason i thought the Iphone would update itself over-the-air like the Palm Pre. If someone doesn't connect the phone to Itunes on a regular how would they know that there is an update. Do they give a notice?

I not to recently tried out Itunes and it left a bad impression. Slow, laggy, and lacking applicaiton.
#6.5 +Martog on 31 Jul 2009 - 19:47
Deihmos said,
I have used Napster and Rhapsody and simple updates didn't require me downloading the 12MB again. Why is Itunes 80MB?


Because it also includes Quicktime (which is the backend for playing the audio and video in iTunes). It also has to have drivers and other files for every iPod as well as its built in CD burning function. Also has the Bonjour service included. It's also an international release, it doesn't include just English files in it. It roughly expands to a little over double the installer size between Quick Time and iTunes and everything it needs. Also note Quicktime is an international release as well as it contains more than one language project folders.
#7 Rob on 31 Jul 2009 - 19:23
No jailbreak is currently available for this firmware, nor have we any idea if the baseband is affected to render UltraSn0w useless. I'll post updates on my site about this as and when it's released: http://www.poorlad.com/iCommunity
#8 Gabe3 on 31 Jul 2009 - 19:24
me waits for dev team...
(2 replies) #9 +TCLN Ryster on 31 Jul 2009 - 20:54
Interestingly given that this security flaw is the only fix in this release, my iPhone seems a little less sluggish since I updated it a few minutes ago. After 3.0 it had gone really slow, with stuttery sounds and suchlike. It seems a little better now.
#9.1 bbfc_uk on 31 Jul 2009 - 21:17
Bonus!

Maybe it was a botched firmware install when you updated to 3.0, and this one went better.
#9.2 cakesy on 01 Aug 2009 - 07:25
bbfc_uk said,
Bonus!

Maybe it was a botched firmware install when you updated to 3.0, and this one went better.

It would be ridiculously rare for it to be botched in this particular way. Not only are the images signed, but for that to be the only problem, wow, it would be a huge improbability.
(2 replies) #10 bob_c_b on 31 Jul 2009 - 21:40
So yesterday Apple sucked because they hadn't addressed this shocking flaw and today Apple sucks because the download is large? Just checking.
#10.1 Andrew Lyle on 31 Jul 2009 - 21:46
It is a small flaw in Apple's software. It is unpatchable and needs a full download of the firmware to update something as small as this. Reminds me of when they released 2.2.1, all it did was fix "stability" issues with Safari, but mostly blocked the dev team.

Maybe 4.0 will be different, allowing smaller patches to be available, but with that comes numbers amounts of vulnerability holes in the software...
#10.2 +Smigit on 01 Aug 2009 - 05:18
it's not just an iPhone firmware thing but. Quicktime, iTunes ect all require substantial downloads for fixes. I don't think it's unrealistic for users to expect a company as large as theirs to be able to implement patching, especially if they are going to install tools that check for updates and the like to the system.

I don't think people are complaining that the fix is out (although it perhaps could have arrived sooner ideally).
(2 replies) #11 saxondale. on 31 Jul 2009 - 21:52
What about if we're running 3.1?
#11.1 +TCLN Ryster on 31 Jul 2009 - 22:19
I guess you're SOL until the next beta (or RC or RTW) release of 3.1. Unless of course Beta 3 includes this fix and they just haven't told anybody.
#11.2 Si on 01 Aug 2009 - 08:53
saxondale. said,
What about if we're running 3.1?

Yes beta3 includes the fix (so I hear...)
(3 replies) #12 J400uk on 31 Jul 2009 - 22:12
Does this break the tethering loophole?

Any other fixes at all?
#12.1 Andrew Lyle on 01 Aug 2009 - 16:24
No, this update ONLY patches the SMS flaw and nothing else. You can still jailbreak this version by pointing at the 3.0 firmware. No baseband or any other changes were implemented.
Your tethering loophole will be fixed in 3.1
#12.2 J400uk on 01 Aug 2009 - 23:54
Thank you.

I guess I won't bother with 3.1 when that comes out as the tethering is hugely useful to me.
#12.3 +kraized on 02 Aug 2009 - 10:25
Andrew Lyle said,
No, this update ONLY patches the SMS flaw and nothing else. You can still jailbreak this version by pointing at the 3.0 firmware. No baseband or any other changes were implemented.
Your tethering loophole will be fixed in 3.1


I'm running 3.1 beta 3 and the tethering hack still works fine. :/
#13 Joshie on 01 Aug 2009 - 02:53
Bwahaha, they still refuse to use the word 'fix'. It's simply "improved error handling". Great stuff. XD
(1 reply) #14 yakumo on 01 Aug 2009 - 05:30
Is this the patch that makes the battery life not suck?
#14.1 RaulMR on 01 Aug 2009 - 11:13
yakumo said,
Is this the patch that makes the battery life not suck?


Hi there

No is not a patch for battery

cya
(4 replies) #15 EVANK on 01 Aug 2009 - 11:54
And what about iPod Touch users like myself who downloaded the update, which to be honest was not worth it because ever since I updated, it crashes all the time, I used to get emails with pictures, example. Ebuyer send me an email with current offers, same with Scan and now; I don't see anything. The browser is rubbish, applications tun slow, when you are typing as I am now, there is a delay and it comes up a few seconds later. Another annoying... Bl**dy irratating thing, when you are typing it jumps up the page to the top or to the bottom depending what website you are on. Fix the darn issues with the iPod Touch as well because it's driving me crazy. I used to like my iPod Touch now I hate the darn thing because the update has made it worse. I thought, I was the only one with these problems, until I searched through the Internet and found other people with the same issues as me. I have contacted Apple in the US and they said we have not recieved any information about people complaining about the software update.

Just look at your forum and around the Internet are you blind or just ignoring the fact the software update may have been a sucess with the iPhone but it sure not the case with the iPod Touch.
#15.1 RaulMR on 01 Aug 2009 - 12:15
with 3.0.1 i type more fast (run SMS app seams more slow) than 3.0 but this time i do not backup my iphone, just sync them. I lost my sms and all call reports but it's better this away.

Cya
#15.2 Andrew Lyle on 01 Aug 2009 - 16:26
Why would you put this on your touch? The update is for the iPhone only, only difference is the SMS flaw fix... You did not have to update at all
#15.3 roadwarrior on 02 Aug 2009 - 02:34
I think evank is confused, as this update doesn't even get downloaded for iPod Touch.
#15.4 NeoTrunks on 03 Aug 2009 - 19:26
Yea, something is not right. This update will not show up for iPod Touches. As for your other problems, maybe you should try a restore? I had the old 2G iPhone and now the 3GS, and I didn't see any problems with them on 3.0 (or 3.0.1, for that matter). Could be an iPod specific issue, though.
#16 +witalit on 01 Aug 2009 - 14:05
Wow and I just finished customising my iPhone the way I like it. Damn apple and their firmware updates, everytime I have to jailbreak, then download and customise!! ahh so annoying.
(1 reply) #17 jafoman on 01 Aug 2009 - 21:19
My update to 3.0.1 failed and was stuck in recovery mode... Had to restore from the backup I did just prior to doing the update. Lost all knds of app settings after the restore and sync. Why can't they restore app settings??? At least all my apps/music/movies/photos were restored okay. My wife's phone of course updated fine.

Apple has publically acknowledged the two people who found this issue. That does not happen very often (you don't see those in Microsoft Update do you?). That's recognition enough don't you think?
#17.1 GreyWolfSC on 02 Aug 2009 - 16:54
jafoman said,
My update to 3.0.1 failed and was stuck in recovery mode... Had to restore from the backup I did just prior to doing the update. Lost all knds of app settings after the restore and sync. Why can't they restore app settings??? At least all my apps/music/movies/photos were restored okay. My wife's phone of course updated fine.

Apple has publically acknowledged the two people who found this issue. That does not happen very often (you don't see those in Microsoft Update do you?). That's recognition enough don't you think?


No, they don't credit people on WU/MU, but they have issued props to the discovering parties quite a few times in the past.
(1 reply) #18 Leonick on 02 Aug 2009 - 11:46
1. how the hell can ushc a vulnerbility be in the sms app? how can anything in the messaging app be related to controling the iphone remotely? :/
apple really program in wierd ways, anyone knew that safari on the iphone/ipod uses the mail app to create bookmarks? noticed this due to the fact that 3.0 have problems with hidden apps :/

2. Seriously there should have been an update out much earlier adressing som other erros out there, like the random wifi/internet problems... me and a friend both have 16gb ipod touches, his cant use internet with 3.0 or barely with some luck, i just noticed the ipod touch can do over 1mbit/s download over wifi
#18.1 GreyWolfSC on 02 Aug 2009 - 16:58
Apparently it was exploiting the way SMS messages are encoded. The maximum message length varies depending on the character set used, so if there's a flaw in gauging and trimming the received message it could theoretically result in this by creating a buffer overrun.

http://en.wikipedia.org/wiki/Short_message_service

Transmission of short messages between the SMSC and the handset is done using the Mobile Application Part (MAP) of the SS7 protocol. Messages are sent with the MAP mo- and mt-ForwardSM operations, whose payload length is limited by the constraints of the signaling protocol to precisely 140 octets (140 octets = 140 * 8 bits = 1120 bits). Short messages can be encoded using a variety of alphabets: the default GSM 7-bit alphabet (see GSM 03.38 for details), the 8-bit data alphabet, and the 16-bit UTF-16 alphabet.[26] Depending on which alphabet the subscriber has configured in the handset, this leads to the maximum individual Short Message sizes of 160 7-bit characters, 140 8-bit characters, or 70 16-bit characters (including spaces). Support of the GSM 7-bit alphabet is mandatory for GSM handsets and network elements,[26] but characters in languages such as Arabic, Chinese, Korean, Japanese or Cyrillic alphabet languages (e.g. Russian) must be encoded using the 16-bit UTF-16 character encoding (see Unicode). Routing data and other metadata is additional to the payload size.

Larger content (Concatenated SMS, multipart or segmented SMS or "long sms") can be sent using multiple messages, in which case each message will start with a user data header (UDH) containing segmentation information. Since UDH is inside the payload, the number of characters per segment is lower: 153 for 7-bit encoding, 134 for 8-bit encoding and 67 for 16-bit encoding. The receiving handset is then responsible for reassembling the message and presenting it to the user as one long message. While the standard theoretically permits up to 255 segments,[27] 6 to 8 segment messages are the practical maximum, and long messages are often billed as equivalent to multiple SMS messages. See Concatenated SMS for more information. Some providers have offered length-oriented pricing schemes for SMSs, however, the phenomenon is disappearing.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1390) © 2000 - 2008 Neowin.net