Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: APPLE-SA-2010-02-02-1 iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
APPLE-SA-2010-02-02-1 iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch

Several security issues are addressed for iPhone OS in this update.  All of them are applicable to iPhone OS 1.0 through 3.1.2, and iPhone OS for iPod touch 1.1 through 3.1.2.  The update will bring your device up to OS 3.1.3

Almost all of the issues addressed are serious - many of them are buffer overflow conditions allowing arbitrary code execution for common iPhone activities:

  • watching a maliciously crafted MP4 video
  • viewing a malicious TIFF graphic
  • accessing a (again, maliciously crafted) FTP site.
  • There's also a particularly nasty one that uses a memory corruption issue to bypass the iPhone password (via a crafted USB control message), allowing access to user data on the phone.

These are referenced as CVE-2010-0036, CVE-2009-2285, CVE-2010-0038, CVE-2009-3384 and CVE-2009-2841

These updates are available on iTunes - more information on the issues and update procedure can be found at , or the main security update site at

The recommendation is to update your device to OS 3.1.3 as soon as possible.


=============== Rob VandenBrink Metafore ===================

Rob VandenBrink

579 Posts
ISC Handler
Feb 3rd 2010
A note to save others from the same time-wasting exercise as I have just enjoyed (groan).

Ensure you update to the latest version of iTunes (9.0.3) *before* trying to update your iPhone (OSX 10.5.8)



Sign Up for Free or Log In to start participating in the conversation!