Apple's iOS 5 update closes almost 100 security holes
Apple has released version 5 of its iOS mobile operating system, a major update that adds several new features and addresses a number of security vulnerabilities. According to the company, the update closes nearly 100 holes in the OS that could, for example, be exploited to gain access to private data, cause a device reset, lead to a cross-site scripting (XSS) attack, or execute arbitrary code on a victim's device.
The security update fixes issues with the mobile version of the Safari web browser, the Calendar app, the OfficeImport component for viewing Microsoft Office Word and Excel files, and the way that X.509 certificates are handled. Other problems addressed by the update include vulnerabilities in CoreMedia, CoreGraphics, CoreFoundation, the XML library (libxml), ImageIO and the kernel. CalDAV, which is used by iCal and the Calendar app in iOS to sync calendar data, now checks to see if SSL certificates are trusted by the server before syncing in order to prevent user credentials or private data from being intercepted from a calendar server.
Support for TLS 1.2 has been added to prevent an attacker from decrypting an SSL connection via the recently disclosed potential information disclosure risk in SSL/TLS; a number of browser makers, including Google and Microsoft, have started to implement fixes for this issue. Like Safari 5.1.1 and iTunes 10.5 on Windows, iOS 5 fixes a large number of memory corruption problems in the WebKit browser engine which could lead either to application termination or arbitrary code execution. The new version also removes trust from the certificate authorities (CAs) operated by DigiNotar after the CA was compromised.
Apple has also released Update 4.4 for Apple TV which, among other things, removes trust in DigiNotar, supports TLS 1.2, closes holes in TIFF viewing and blocks an attack where a remote user could cause the device to reset.
Updates to its Pages and Numbers apps for iOS fix various buffer overflows and memory corruption issues that could be exploited to execute arbitrary code when, for example, opening a maliciously crafted Excel or Word file. Details about the app updates can be found in the Pages for iOS v1.5 and Numbers for iOS v1.5 mailing list announcements.
The iOS updates are compatible with iPhone 4 (GSM and CDMA models), iPhone 3GS, the original iPad and iPad 2, and the 3rd and 4th generation iPod Touch; the iPhone 4S, which is scheduled for release tomorrow (14 October), ships with iOS 5. The original iPhone, iPhone 3G, and 1st and 2nd generation iPod Touch are no longer supported and, as such, no longer receive iOS updates. Users can update their iOS-based mobile devices using the current version of iTunes. All users are advised to upgrade as soon as possible.
- About the security content of iOS 5 Software Update, security advisory from Apple.
- About the security content of Apple TV Software Update 4.4, security advisory from Apple.
- About the security content of Pages for iOS v1.5, security advisory from Apple.
- About the security content of Numbers for iOS v1.5, security advisory from Apple.
- iTunes 10.5 fixes security holes on Windows, a report from The H.
- Apple releases updates for DigiNotar SSL debacle, a report from The H.