Apple's iOS 5.1.1 Patches Serious Security Flaws

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Apple recently released version 5.1.1 of iOS for the iPhone, iPad and iPod touch, patching several vulnerabilities.

"The highest severity vulnerability that's fixed in iOS 5.1.1 is a WebKit flaw that can lead to remote code execution or an application crashing," writes Threatpost's Dennis Fisher. "In order to trigger that vulnerability, a user would need to visit a Web site with a maliciously crafted URL, which is a common attack tactic via phishing emails and URL redirections."

"A second flaw is a WebKit cross-site scripting issue in which 'visiting a maliciously crafted website may lead to a cross-site scripting attack,' Apple explained," Infosecurity reports. "The company acknowledged Sergey Glazunov working with Google's Pwnium contest for finding the flaw."

"The final flaw was a URL spoofing problem which allowed illegitimate domains to visually appear in the address bar as legitimate sites," The H Security reports.

"MajorSecurity researcher David Vieira-Kurz demonstrated a proof of concept for the flaw in March of this year, which caused a new window to open when clicking a specially crafted link," writes Ars Technica's Jacqui Cheng. "The new window showed the user that it was loading (for example) Apple's website, but actually loads another page that gave the appearance of loading Apple's site via an iframe. Vieira-Kurz said the vulnerability was related to the way Mobile Safari handles JavaScript's window.open() function, which could be used to trick users into handing passwords or credit card information over to attackers."

"It’s important for iOS device owners to install this update as soon as possible," writes Forbes' Adrian Kingsley-Hughes. "Now that the updated code is available, the hackers will get to work reverse-engineering it so they can figure out how the vulnerabilities worked so they can make use of that information and target people who haven’t applied the update."