Apple updates iPhone, Safari 3 beta and Security Update

In addition to the AirPort Extreme update released earlier today, Apple has released updates for the iPhone, Safari 3 beta and Security Update 2007-007 1.0.

iPhone 1.0.1 was released and is available through iTunes when the iPhone is connected. According to Apple, the iPhone update fixes two security issues in Safari, two in WebKit and one issue with WebCore.

One issue that was fixed in the iPhone's Safari Web browser was that it gave a website the ability to allow cross-site scripting. A race condition in page updating combined with HTTP redirection could allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. The other issue fixed in Safari could lead to arbitrary code execution if a user visited a maliciously crafted web page.

WebCore was update to fix an issue that allowed a malicious website to permit cross-site requests. Similar to the Safari issue, an attacker could trigger a cross-site scripting using this flaw.

The WebKit issues that were fixed involved look-alike characters in a URL that could be used to masquerade a website and a maliciously crafted website that could lead to an unexpected application termination or arbitrary code execution.

It was widely reported that security researchers were set to reveal details of a critical security flaw in the iPhone at the Black Hat 2007 conference this week. The iPhone update fixed the flaw before the conference.

The notes provided with Safari beta 3.0.3 only say that the update improves security and stability. The update is available via the software update mechanism in Mac OS X.

Security Update 2007-007 1.0 improves the security for several components of the operating system including bzip2, CFNetwork, Core Audio, cscope, gnuzip, Kerberos, mDNSResponder, PDFKit, PHP, Quartz Composer, samba, WebKit and WebCore

Update: Added more information about the security updates on the iPhone.