Establishing Digital Trust: Don't Sacrifice Security for Convenience
If you own multiple Apple devices, today is going to be a busy one for you.
Apple is now updating its iOS operating system for iPhone, iPod Touch and iPad users. Mac OS X users are also getting updates and Safari users on both Mac and Windows are getting a new version.
A number of the fixed flaws across all the platforms are derived from exploits first publicly demonstrated last month at the PWN2OWN security challenge. Security researcher Charlie Miller successfully exploited iOS this year, hacking into an iPhone. Apple's iOS also uses the WebKit rendering engine, which was exploited by VUPEN security in their five second attack on Mac OS X.
"A use after free issue existed in the handling of text nodes," Apple warned in its advisory on the VUPEN Security issue. "Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Another WebKit related issue is one that was used to exploit the RIM Blackberry during PWN2OWN is being fixed by Apple. Blackberry also uses WebKit as the underlying engine behind its Web browser. Apple describes the flaw as an integer overflow issue that existed in the handling of nodesets.
Both the Safari 5.0.5 and iOS 4.3.2 updates provide fixes for both of the WebKit issues. Google also uses the WebKit rendering engine as part of its Chrome Web browser and issued patches back in March to fix the PWN2OWN flaws.
Charlie Miller's specific PWN2OWN 2011 hack was in the QuickLook component in iOS.
"Viewing a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution," Apple stated in its advisory.
Additionally Apple is providing an update for both iOS and Mac OS X to help protect users against SSL certificate fraud.
"Several fraudulent SSL certificates were issued by a Comodo affiliate registration authority," Apple stated in its advisory. "This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue is addressed by blacklisting the fraudulent certificates."