1. Supes2000's Avatar
    Now before I get debated on this issue...(Sursur, where are you now?) Let me say that I am NOT stating that Apple nor the iPhone is perfect, but darn close. See previous threads and posts...

    My reasoning for this is this...when can any of you remember when a cell phone maker provided more than 1, not to mention 3 firmware updates in less than a year??? Much less, updates that were not simple patches but had real meat to them!?!?!

    I am thrilled about the rumored updates coming on 1.1.3 for the iPhone. Now, while I am still waiting for features like cut & paste, flash and a few native games; I continue to WoWed by the Apple and the speed at which they continue to improve the phone without having to upgrade to a whole new handset.

    -- DO YOU HEAR ME PALM!?!?!

    This mere fact is what drove me to retire my love Treo, and I continue to thrilled by Jobs.

    Looking forward to MacWorld, and the new firmware.
    01-05-2008 09:33 PM
  2. Rene Ritchie's Avatar
    It is amazing how they've gotten (I assume) the carriers to buzz off and let them basically handle the phone all by themselves.

    Palm, given all they've (likely) suffered at the hands of the carriers, when seeing Apple's freedom, probably had a stroke a little in their collective brains...
    01-05-2008 09:59 PM
  3. surur's Avatar
    Now before I get debated on this issue...(Sursur, where are you now?) .
    Well, I got a 3 point infraction in the cross-platform forum for asking Archie to quote and link his sources, so I will keep out of a thread which insists Apple is great for not even having cut and paste after 3 firmware updates.

    Surur
    01-05-2008 10:16 PM
  4. Supes2000's Avatar
    HAHAHA! Sursur, as much as I hate to admit it, that was funny!

    Touche my friend...but it's still better than anything else out there today...
    01-05-2008 11:44 PM
  5. byronchurch's Avatar
    So fare I've seen 2 updates . I cant remember the first one . Probably some kind of a block . The second one killed all of my new software and locked me in iLobotomy hell . Right where they want me ! Gee wizz ! I just can't wait till Mr. Jobs decides to grace us . I won't presume what it might be . Thy will not mine . Some kind of a search function though , that would be like asking God for an apple !
    01-05-2008 11:45 PM
  6. archie's Avatar
    So fare I've seen 2 updates . I cant remember the first one . Probably some kind of a block . The second one killed all of my new software and locked me in iLobotomy hell . Right where they want me ! Gee wizz ! I just can't wait till Mr. Jobs decides to grace us . I won't presume what it might be . Thy will not mine . Some kind of a search function though , that would be like asking God for an apple !
    Actually, there have been 4 updates. Each one adding new features or functionality (though v1.0.2 merely improved/sped up the kernel).


    iPhone v1.0.1 Update

    "Send to Web Gallery" added to allow for posting photos from the iPhone directly to .Mac Photo galleries. No need to sync images. Mobile Photocasting.

    • Safari
    CVE-ID: CVE-2007-2400
    Available for: iPhone v1.0
    Impact: Visiting a malicious website may allow cross-site scripting
    Description: Safari's security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.
    • Safari
    CVE-ID: CVE-2007-3944
    Available for: iPhone v1.0
    Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
    Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.
    • WebCore
    CVE-ID: CVE-2007-2401
    Available for: iPhone v1.0
    Impact: Visiting a malicious website may allow cross-site requests
    Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.
    • WebKit
    CVE-ID: CVE-2007-3742
    Available for: iPhone v1.0
    Impact: Look-alike characters in a URL could be used to masquerade a website
    Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check. Credit to Tomohito Yoshino of Business Architects Inc. for reporting this issue.
    • WebKit
    CVE-ID: CVE-2007-2399
    Available for: iPhone v1.0
    Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
    Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.


    iPhone v1.0.2 Update

    Smallest update released at just 3.7 MB.

    Time zone issue corrected.
    Marginally smaller and more efficient kernel.
    Apparent fix of an issue where significant green tinting was manifest on photos captured by the built-in camera (undocumented).


    iPhone v1.1.1 Update

    • iTunes Wi-Fi Music Store
    • Louder speakerphone and receiver volume
    • Home button double-click shortcut to phone favorites or music controls
    • Space bar double-tap shortcut to intelligently insert period and space
    • Mail attachments are viewable in portrait and landscape
    • Stocks can now be reordered by selecting a stock under the “i” (settings) icon and dragging it up or down.
    • The Weather widget now lets you reorder cities by selecting a city under the “i” (settings) icon and dragging it up or down.
    • Apple Bluetooth Headset battery status in the Status Bar
    • Support for TV Out
    • Preference to turn off EDGE/GPRS when roaming internationally (Settings > General > Network > Data Roaming [on/off])
    • New Passcode lock time intervals of 1 min, 5 min, 15 min, 1 hour and 4 hours (eliminating 10 min and 30 min choices)
    • Adjustable alert volume
    • New Calculator icon
    • You can now select different alerts for incoming messages by navigating Settings > Sounds > New Text Message > choice of: 
Tri-Tone (default), Chime, Glass, Horn, Bell, Electronic
    • International characters are available by pressing and holding the letter key to be presented with a menu of associated characters
    • The iPhone mail application now supports MP3, WAV, AAC and 3GPP audio formats whereas before a blank file icon would be displayed for audio attachments.
    • A debug console is now available within Mobile Safari for web developers to find errors on their pages.
Settings -> Safari -> Developer -> Debug Console [on/off]
    • iPod Settings (Settings > iPod) now contains "Video" and "TV Out" sections in addition to the original settings now found under the "Music" label.
    • iPod Video Settings lets you start playing where you left off, or at the beginning of the video
    • iPod Video Settings now Includes closed captioning abilities
    • iPod TV Out Settings lets you turn on or off widescreen output from the device and switch between NTSC and PAL TV signal types.
    • Mail can now delete messages from an Exchange server.
    • There are new options for Video playback. You can start playing videos where they left off or from the beginning, and you can use closed captioning. Settings > iPod
    • The iPhone no longer prompts you to delete video/movie/TV show content after having watched it to the end.
    • Safari's open pages (tabs) are now presented in the current viewing orientation regardless of original orientation.
    • Bringing up any contact in your contacts list now lets you easily set a caller-specific ringtone without having to dive into the Edit screen.
    • YouTube: The Today, This Week, and All links at the top of Most Viewed have been rearranged to that order, rather than the older All, Today, or This Week.
    • Can now playback H.264 video at throughput rates up to 2.5 Mbps (previously only capable of only 1.5Mbps) at 640 by 480 pixels, 30 frames per second, Baseline Profile up to Level 3.0 with AAC-LC audio up to 160 Kbps, 48kHz, stereo audio in .m4v, .mp4, and .mov file formats.
    • A separate additional miniature battery indicator now appears near iPhone’s top right corner when a iPhone Bluetooth Headset is connected.
    • Added “call in progress - tap to return to phone” status when a call is active and iphone is not in the phone program
    • Can now choose alarm tones from within the Clock application (Clock > Alarm > Edit).
    • iPhone can now sync songs back to iTunes. This was necessitated from the purchase of songs from the iTunes Wi-Fi Music Store.
    • Consequently, the iPhone now also syncs other songs back to iTunes, keeping smart playlists utilizing play counts up to date and making them all the more useful.
    • Alphanumeric passwords can now be used for VPN with the presentation of a full keyboard.
    • Supports RSA SecureID cards in conjunction with VPN.
    • Can now change your voicemail password from the iPhone rather than dialing in to AT&T's Voice Mail service.

    Security Updates

    • Bluetooth
    CVE-ID: CVE-2007-3753
    Impact: An attacker within Bluetooth range may be able to cause an unexpected application termination or arbitrary code execution
    Description: An input validation issue exists in the iPhone's Bluetooth server. By sending maliciously-crafted Service Discovery Protocol (SDP) packets to an iPhone with Bluetooth enabled, an attacker may trigger the issue, which may lead to unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SDP packets. Credit to Kevin Mahaffey and John Hering of Flexilis Mobile Security for reporting this issue.
    • Mail
    CVE-ID: CVE-2007-3754
    Impact: Checking email over untrusted networks may lead to information disclosure via a man-in-the-middle attack
    Description: When Mail is configured to use SSL for incoming and outgoing connections, it does not warn the user when the identity of the mail server has changed or cannot be trusted. An attacker capable of intercepting the connection may be able to impersonate the user's mail server and obtain the user's email credentials or other sensitive information. This update addresses the issue by properly warning when the identity of the remote mail server has changed.
    • Mail
    CVE-ID: CVE-2007-3755
    Impact: Following a telephone ("tel:") link in Mail will dial a phone number without confirmation
    Description: Mail supports telephone ("tel:") links to dial phone numbers. By enticing a user to follow a telephone link in a mail message, an attacker can cause iPhone to place a call without user confirmation. This update addresses the issue by providing a confirmation window before dialing a phone number via a telephone link in Mail. Credit to Andi Baritchi of McAfee for reporting this issue.
    • Safari
    CVE-ID: CVE-2007-3756
    Impact: Visiting a malicious website may lead to the disclosure of URL contents
    Description: A design issue in Safari allows a web page to read the URL that is currently being viewed in its parent window. By enticing a user to visit a maliciously crafted web page, an attacker may be able to obtain the URL of an unrelated page. This update addresses the issue through an improved cross-domain security check. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
    • Safari
    CVE-ID: CVE-2007-3757
    Impact: Visiting a malicious website may lead to unintended dialing or dialing a different number than expected
    Description: Safari supports telephone ("tel:") links to dial phone numbers. When a telephone link is selected, Safari will confirm that the number should be dialed. A maliciously crafted telephone link may cause a different number to be displayed during confirmation than the one actually dialed. Exiting Safari during the confirmation process may result in unintentional confirmation. This update addresses the issue by properly displaying the number that will be dialed, and requiring confirmation for telephone links. Credit to Billy Hoffman and Bryan Sullivan of HP Security Labs (formerly SPI Labs) and Eduardo Tang for reporting this issue.
    • Safari
    CVE-ID: CVE-2007-3758
    Impact: Visiting a malicious website may lead to cross-site scripting
    Description: A cross-site scripting vulnerability exists in Safari that allows malicious websites to set JavaScript window properties of websites served from a different domain. By enticing a user to visit a maliciously crafted website, an attacker can trigger the issue, resulting in getting or setting the window status and location of pages served from other websites. This update addresses the issue by providing improved access controls on these properties. Credit to Michal Zalewski of Google Inc. for reporting this issue.
    • Safari
    CVE-ID: CVE-2007-3759
    Impact: Disabling JavaScript does not take effect until Safari is restarted
    Description: Safari can be configured to enable or disable JavaScript. This preference does not take effect until the next time Safari is restarted. This usually occurs when the iPhone is restarted. This may mislead users into believing that JavaScript is disabled when it is not. This update addresses the issue by applying the new preference prior to loading new web pages.
    • Safari
    CVE-ID: CVE-2007-3760
    Impact: Visiting a malicious website may result in cross-site scripting
    Description: A cross-site scripting issue in Safari allows a maliciously crafted website to bypass the same-origin policy using "frame" tags. By enticing a user to visit a maliciously crafted web page, an attacker can trigger the issue, which may lead to the execution of JavaScript in the context of another site. This update addresses the issue by disallowing JavaScript as an "iframe" source, and limiting JavaScript in frame tags to the same access as the site from which it was served. Credit to Michal Zalewski of Google Inc. and Secunia Research for reporting this issue.
    • Safari
    CVE-ID: CVE-2007-3761
    Impact: Visiting a malicious website may result in cross-site scripting
    Description: A cross-site scripting issue in Safari allows JavaScript events to be associated with the wrong frame. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of another site. This update addresses the issue by associating JavaScript events to the correct source frame.
    • Safari
    CVE-ID: CVE-2007-4671
    Impact: JavaScript on websites may access or manipulate the contents of documents served over HTTPS
    Description: An issue in Safari allows content served over HTTP to alter or access content served over HTTPS in the same domain. By enticing a user to visit a maliciously crafted web page, an attacker may cause the execution of JavaScript in the context of HTTPS web pages in that domain. This update addresses the issue by limiting access between JavaScript executing in HTTP and HTTPS frames. Credit to Keigo Yamazaki of LAC Co., Ltd. (Little eArth Corporation Co., Ltd.) for reporting this issue.


    iPhone v1.1.2 Update

    Firmware change increases the CPU clock speed from 400 to 412 MHz and the bus speed from 100 to 103 MHz.
    Any AAC file with the .m4r extension can now be added to iTunes as a custom ringtone. When synced to the iPhone, they show up under the Custom ringtones section.

    Additional language support: Italiano, Franais, Deutsch.

    Additional Keyboard support: English (UK), French, German, Italian.

    Asian font support: Chinese, Japanese.

    International Region Format support: Australia, Belgium, Botswana, Canada, Hong Kong S.A.R., China, India, Ireland, Malta, New Zealand, Pakistan, Philippines, Singapore, South Africa, U.S. Virgin Islands, United Kingdom, United States, Zimbabwe, French, German, Italian.

    Activating multiple keyboards places a globe key on the left of the space bar to allow users to cycle through various keyboards.

    Modem’s firmware updated to version 04.02.13_G.

    Battery charge level/status of iPhone is shown from within iTunes.

    Security Update

    • ImageIO
    CVE-ID: CVE-2006-3459, CVE-2006-3461, CVE-2006-3462, CVE-2006-3465
    Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution
    Description: ImageIO contains a version of libtiff that is vulnerable to multiple buffer overflows. By enticing a user to view a maliciously crafted TIFF image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issues by performing additional validation of TIFF images. These issues do not affect Mac OS X v10.3.9 systems with Security Update 2006-004, Mac OS X v10.4.7 systems with Security Update 2006-004, or systems running Mac OS X v10.4.8 or later. Credit to Tavis Ormandy, Google Security Team for reporting this issue.
    01-07-2008 02:47 PM
LINK TO POST COPIED TO CLIPBOARD