Apple has released an iPhone software update that patches five vulnerabilities in the handset's operating system - now to be used in the Apple iPad.

The Apple iPhone OS 3.1.3, the first update since September 2009, contained three patches tagged with the phrase 'arbitrary code execution', Apple-speak for a critical vulnerability.

Unlike other software makers, such as Microsoft and Oracle, Apple does not rank flaws with a threat-scoring system.

The vulnerability that stood out to Andrew Storms, director of security operations at nCircle Network Security, was the one in the iPhone's recovery mode, which is used to restore the smartphone when it's completely unresponsive.

"A memory corruption issue exists in the handling of a certain USB control message," said Apple's advisory.

"A person with physical access to the device could use this to bypass the passcode and access the user's data."

In other words, data on a lost, but locked, iPhone could be accessed by whomever finds it.

Storms pointed out that Apple patched a vulnerability in recovery mode last September when it updated the iPhone OS to 3.1.1 .

At the time, Apple's description of the flaw was similar to the latest one.

"A heap buffer overflow exists in Recovery Mode command parsing. This may allow another person with physical access to the device to bypass the passcode, and access the user's data."

Apple has had problems with the iPhone's password-locking feature in the past.

In August 2008, a researcher discovered that Apple had forgotten to patch a bug that let people sidestep locking by simply tapping 'Emergency Call' on the password-entry screen, then double-tapping the Home button.

The bug had been patched in January 2008, but resurfaced in iPhone 2.0. Apple re-patched it a month later.

The other four holes plugged today aren't much to worry about, said Storms.

"The small number is a good sign," he said.

"Plus, we're not seeing horrendous WebKit vulnerabilities that could be exploited by getting people to a website."

WebKit is the open-source browser engine used by Apple to power Safari on the iPhone and Apple iPod touch.

One of the two WebKit bugs is in how the browser engine deals with HTML 5 external resources, such as images or video files.

"The sender of an HTML-formatted email message could use this to determine that the message was read," said Apple's advisory.

"That's a marketing or spammer kind of tool," said Storms, equating it with the practice of inserting images in email to monitor the rate at which victims read the spam.

With the appearance of iPhone 3.1.3 - and the recent unveiling of Apple's iPad by CEO Steve Jobs - Storms expects that the next update of the smartphone's firmware won't take place until this summer, when a major upgrade will likely be launched alongside a new iPhone.

"We're looking later in the year, I think," he said.

According to Apple, the iPhone 3.1.3 update also improves the accuracy of battery level reporting on the iPhone 3GS and fixes a problem that in some cases prevented third-party apps from launching.

iPhone and iPod Touch owners can wait out the update interval - iTunes automatically checks Apple's update servers once a week - or retrieve iPhone 3.1.3 manually by selecting 'Check for Update' under the iTunes Help menu and then docking the iPhone to a PC or Mac.


Mobile phone buying advice

Compare mobile phone deals

See all mobile phone reviews

See also: Citrix developing app to run Windows 7 on iPad