Apple Patches iPhone SMS Vulnerability with software update 3.0.1

Late Friday evening, Apple issued an update to the iPhone operating system in a response to a well-known security vulnerability. iPhone OS 3.0.1 fixes a potential exploit which could allow a remote user to hijack any iPhone by sending a simple series of SMS (text messages).

This update was expected to be released before the BlackHat 2009 security conference last week, where a pair of security researchers who have discovered the flaw presented their findings. Back in 2007, Charlie Miller, security researcher and co-author of The Mac Hacker’s Handbook, demonstrated a WebKit security hole that allowed the hacker to obtain an iPhone user’s personal information. Apple patched the exploit a few days before the demonstration. By contrast, the SMS exploit was patched after Mr. Miller presented details about it. In the days leading up to the patch, I have expressed my frustration with the way Apple and AT&T handled the entire situation from a customer communication and customer service perspective.

I’ve received several responses to that post since the time it was published, most of which directed me to this post, which states that O2 – carrier of the iPhone in the UK – has issued a statement saying that the patch was forthcoming. One carrier in one country communicating to its customers? I think that says enough about how poorly Apple handled the situation.

Any unpatched iPhones are still vulnerable to the attack, so we recommend you run out and update your iPhone ASAP. So far, it looks like the sole purpose of software update 3.0.1. is to fix the security threat, so don’t expect to be surprised with any new features.