iPhone update 1.0.1 is now available through iTunes. The new release patches several security flaws related to Safari, WebKit and WebCore.
You can obtain the update via the "Check for Updates" button or menu item in iTunes To check that the iPhone has been properly updated, tap "Settings" then "General" then "About." The version after applying this update will be "1.0.1 (1C25)".
Problems after updating? PleaseÂ let us know
Specific security enhancements include:Safari
- An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
- Look-alike characters in a URL could be used to masquerade a website The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.
- Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.
For more information on updating and restoring iPhone software, see Knowledge Base article #305744.