Thanks to months of iPhone hype and the vindication of huge sales, by anyone's estimate Apple is certainly riding high this week. Leave it to the hackers, however, to try to cut the company down to size. Mere minutes after the iPhone's release, Robert Graham of the Errata Security blog discovered the first official iPhone bug: an outstanding Safari vulnerability that was previously discovered in a desktop version of the browser. What's more, it was found that the iPhone is just as vulnerable to caller ID spoofing--which can allow others to access your voicemail--as any other AT&T/Cingular handset. With as many as 525,000 iPhones now in the wild, these vulnerabilities could pose a major threat to iPhone users--not to mention the employers of those iPhone users.
However, there is a silver lining. Unlike the traditional handset security model, which finds carriers addressing (or more often that not, not addressing) security vulnerabilities via the network, Apple has reserved the right to deliver software and firmware updates directly to the iPhone via iTunes. And as we have seen, Apple has been pretty vigilant in addressing Safari exploits, thus far. "While Apple is slightly behind Windows on the desktop/server (that Samba bug still appears to be unfixed), it's still light years ahead of the mobile vendors," Graham writes on the Errata Security blog. "The mobile market is completely screwed up right now: while carriers know about the widespread vulnerabilities in their phones, the carriers are unwilling to patch them."
Link: http://blogs.zdnet.com/hardware/?p=582