Apple patches image buffer overflow in iPhone, iPod Touch

Applying the patch, however, disables Jailbreak and third-party applications for the iPhone.

Apple on Monday released a patch for the iPhone and iPod Touch. The TIFF vulnerabilities associated with the patch are serious. However, in fixing the security flaws, users will no longer be able to apply Jailbreak, software that allows for third-party applications on the iPhone. Further, Apple says the update is only available through iTunes, and will not appear in the Mac OS software update application, or on the Apple downloads site, and requires the latest version of iTunes to receive this update.

Image IO
This patch affects users of iPhone v1.0 through v1.1.1, iPod Touch v1.1, and v1.1.1 and does not not affect Mac OS X v10.3.9 systems with Security Update 2006-004, Mac OS X v10.4.7 systems with Security Update 2006-004, or systems running Mac OS X v10.4.8 or later. The patch addresses vulnerabilities found in CVE-2006-3459, CVE-2006-3461, CVE-2006-3462, and CVE-2006-3465. According to Apple, "Image IO contains a version of libtiff that is vulnerable to multiple buffer overflows. By enticing a user to view a maliciously crafted TIFF image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issues by performing additional validation of TIFF images."

Apple credits Tavis Ormandy of Google's security team for reporting this vulnerability.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

CNET's giving away a 3D printer

Enter for a chance to win* the MakerBot Replicator 3D Printer and all the supplies you need to get started.