Update your Apple devices to iOS 4.3, or risk malicious code attacks

Filed Under: Apple, Malware, Vulnerability

iOS appsApple has released iOS 4.3, the latest version of its operating system for iPhones, iPads and the iPod touch.

Although some will be excited by the promise of faster performance from Safari, better video streaming and the thought of sharing their iTunes library over WiFi around the home, perhaps the most important reason to install the update onto your Apple gadgets is security.

According to Apple, the new iOS 4.3 update includes a number of critical security patches - some of which are designed to prevent vulnerabilities being exploited that could lead to malicious code being run on your iPhone or iPad.

Details of the security fixes are included in an Apple knowledgebase article, and include protecting against maliciously-crafted TIFF image files that could be used to run malicious code on your device, and multiple memory corruption issues exist in WebKit, which could mean that visiting a boobytrapped website could lead to unauthorised code being executed.

These are, of course, the kind of vulnerabilities that have been exploited by malicious hackers and virus writers in the past and would present a way to deliver code to a non-jailbroken iPhone that did not involve entering via the official iPhone App Store.

There is no indication that these vulnerabilities have been exploited in the wild, but it would nevertheless be prudent to defend against them by installing the operating system patch to your iOS devices. Especially now that details of the security holes are known to the computer underground.

Bad news for iPhone 3G owners
There's bad news though for users of older Apple devices, however. The iOS 4.3 update is only compatible with the iPhone 3GS and later and the iPod touch 3rd generation and later. (It works on the original iPad, and the imminent iPad 2)

So if you have an earlier iPhone or iPod touch your device is probably vulnerable to attacks which exploit these security holes, and there is no official patch available for you to protect yourself. That's bad news for the many people who still have an iPhone 3G, for instance.

If you were looking for an excuse to upgrade your iPhone or iPod touch - maybe you've just been given a good one by Apple. But if you were happy with your iPhone 3G, I doubt you're feeling too good about having to reach into your pocket.

Apple customers can download the iOS 4.3 update via iTunes, and more information about the update can be found on Apple's website.

, , , , , ,

You might like

18 Responses to Update your Apple devices to iOS 4.3, or risk malicious code attacks

  1. Bill S. · 1139 days ago

    The least Apple could do is allow those of us with "old equipment" to jail-break our devices. I have a Generation 2 iTouch. I'm not inclined to buy a new one any time soon, since this one works just fine. I figure if I own the hardware, I should be able to do anything I want with it. If it voids the warranty, so be it. I've been warned.

    • matt · 1139 days ago

      So then jailbreak it. If you want to do whatever you want with your product, then do it. As much as I support the jailbreaking, rooting, etc, Apple has no obligation to make it easy for you.

      • wemjs · 1139 days ago

        Please! They leave countless people open to attack, that's very serious business. People use their iPhones for very risky things attack wise, so it's really a high risk group.

        They should take some kind of responsibility, most of the 3G models will be less than 2 years old.

      • androidposts · 1138 days ago

        err.

        How does jailbreaking have anything to do with protecting against bugs patched in the newest OS version? It doesn't -- for any platform.

        Jailbreaking / rooting without understanding that you're (equivalently) opening up the "administrator" account on a desktop OS is dangerous. You could easily be installing a keylogger or a network packet sniffer without realizing it. There's also no emergency application pull when they are found to be malicious. Just google your favourite 3rd party application store + "virus" or "malware" and watch the good times roll.

        • Toxus · 1073 days ago

          I agree with Androidposts, Jailbreaking itself doesn't open you up to attacks, it's people who don't know how to secure themselves that do, There are multiple applications like Firewall IP and even intermediate fixes to some of the exploits used for the userland jailbreaks. People are just stupid enough nowadays to open whatever link their given without thinking about if it's malicious enough and that's what opens them to attacks.

          That's also the reason why so many people fall for those Facebook Rouge Apps. Because their too stupid to think, hmm maybe my friend didn't send me this...

  2. Jethro Tull · 1139 days ago

    "If you were looking for an excuse to upgrade your iPhone or iPod touch - maybe you've just been given a good one by Apple. "

    By "upgrade", you mean "ditch", right?

  3. FooBar · 1139 days ago

    This isn't new. There have been no security updates since 3.1.4 for owners of the original iPhone.

  4. Anonymous · 1139 days ago

    The mention of TIFF vulnerabilities suggests that perhaps some useful vulnerability exists that would allow reviving jailbreakme or similar.

  5. Okat · 1138 days ago

    Until Apple decides on plugging the Mobile Safari vulnerabilities in older iPhones, to be more secure, just use Opera Mini, with its server-side, Presto rendering engine. i

    Opera's A LOT faster...and now the only secure browsing option. For those few specialty sites that ignominiously block Opera or require a local rendering engine, use Safari for just those.

  6. Wazza · 1138 days ago

    Owners of iPhone 3G could try Android....
    http://www.redmondpie.com/install-android-2.2.1-f...

    No guarantees that they don't destroy their phone or contact data in the process but it's not like Apple's going to help them with updates, anyway.

  7. iLie2All · 1137 days ago

    My heart bleeds for all you poor (and naive) Apple owners. And this is the same smug outfit that foolishly insists only PC users get viruses....

    This maniacal company is over hyped, overrated and overprice. It fanatical followers are the technological equivalent of a village witch doctor clinging to his voodoo beads and rattles.

    Steve Jobs is nothing more than a Pied Piper of pseudo-intellectuals. The collective ignorance of Mac users, along with their hysterical iCult worship of Apple, are now posing a real threat to the industry by forcing their lunacy onto the other 90% of us. They belong with the mindless hoards who march in lockstep with the thug regimes in places like Tehran or Pyong Yang.

    Don't drink the iKool Aid from the Apple's Temple, or you'll wind up being part of the JobsTown Massacre.

  8. Colt · 1136 days ago

    Ah, for anyone freaking out here, the likelihood of your iPhone actually getting hacked or getting a virus is very, very small, and even if you do you can simply wipe it and reinstall your firmware. Furthermore, if you jailbreak it you can download all kinds of apps and patches to make your device more secure. Androidposts was wrong there, and he seems to be confused about the difference between an iPhone OS and a PC OS. The most important thing to remember is don't keep important data on your iPhone only, without keeping a backup on your computer or CD. This goes with all electronic devices including your home PC. Also, if you are worried about identity theft then don't keep your credit card details or other personal details on the iphone (remember that if you are using sites like ebay/paypal or other services that use your credit card your credit card details are usually stored on their servers not in the application data on your phone).

    • Toxus · 1073 days ago

      He wasn't too wrong, Jailbreaking is exactly like opening the Administrator's account. Root is not enabled on iOS by default anymore, mobile and wireless are. Jailbreaking just enables root, adds a couple services, installs cydia/APT and then hooks MobileSubstrate into Springboard. It's almost exactly like he said. And really the only difference between iOS and a PC OS is the drivers and the UI, the underlying OS is MacOS X (Aka Xnu/Darwin) compiled for ARM6/7. The underlying OS IS a PC OS, The GUI is the only thing that implies that it's not, and the GUI is not an OS.

  9. Well if Apple are no longer patching my device I may as well upgrade to an HTC with Android.

    Thanks Apple and goodbye.

    • Spenser · 1051 days ago

      good luck with that. Android doesn't receive all that many updates, and when it does they don't come to HTC phones for several months or more because of their Sense UI differences from vanilla Android phones.

      so take your pick. either way you won't be guaranteed any updates.

  10. Reston · 1135 days ago

    Apple is counting on sheeple to feed its coffers repeatedly and there are plenty out there willing to pay exorbitant amounts for tech products that are quickly made obsolete by corporate intention... "whatever the traffic will bear"

  11. McMagic · 1134 days ago

    Unfortunately there is a problem for anyone with a 3GS updating to IOS 4.2 onwards - there is a well-publicised bug which means that your phone will crash after 5 mins or so in EVERY call. Apple have been notified but there is no answer on when they will fix it. Those in the know say "but don't upgrade your software" however if you do as Apple recommends (and I did sadly) and upgrade the software it means you are now in possession of a 3GS which cannot really be used anymore as a phone.
    Come on Apple you can do better than that !
    Not all of us have the wherewithal to go out and purchase an iphone4 if we are locked into a 2 year mobile contract which had the 3GS.

    • Toxus · 1073 days ago

      If you have ever been jailbroken, download TinyUmbrella and an earlier IPSW and see if you can restore to the older one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.