UPDATED: Apple patches iPhone SMS flaw

— 2:01 PM on July 31, 2009

Going public about a major security hole might not be the most tactful approach, but it can certainly prove effective. BBC News reports that Apple will release a software fix for the iPhone's recently publicized SMS vulnerability tomorrow.

BBC News got its information not from Apple, which was reportedly "not available to comment on the flaw," but from O2, the carrier that distributes the iPhone in Britain. If this information checks out, the fix will be available on iTunes just two days after security expects revealed the flaw at the Black Hat conference in Las Vegas.

As we wrote early this morning, the security hole could allow hackers to take control of a remote iPhone by sending a maliciously crafted SMS message. Charlie Miller and Collin Mulliner, who made the discovery, claim to have gone public because of Apple's failure to respond in a timely manner. "If we don't talk about it, somebody is going to do it silently. The bad guys are going to do it no matter what," Mulliner explained.

Miller and Mulliner expect hackers to develop software that can exploit the flaw within about two weeks, so iPhone users should have plenty of time to get patched. If you'd rather play it safe, though, the folks at TechFragments have posted a few suggestions: put your iPhone in airplane mode, remove permissions from the MobileSMS.app (if you're running a Jailbroken device), or call AT&T to have the SMS service turned off. (Thanks to TR reader James for the tip.)

Update: Well, so much for O2. Engadget points out that Apple has already released the patch, and it quotes the following statement from Apple spokesman Tom Neumayr:

We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms. This morning, less than 24 hours after a demonstration of this exploit, we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit.

You should be able to download the iPhone OS 3.0.1 update from iTunes right now. According to AppleInsider, the patch weighs in at 300MB.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.