iOS update for iPhone and iPad blocks fake certificates

The iOS 4.3.2 software update for the iPhone, iPad and iPod Touch has been released and among its security updates is the addition to a blacklist of the fraudulent SSL certificates which were issued after an attacker compromised the Comodo SSL Certification Authority. A the end of March, browser makers began blocking the fake certificates for the login.live.com, mail.google.com, www.google.com, login.yahoo.com, login.skype.com and addons.mozilla.org domains.

A bug in Quicklook, found by Charlie Miller and Dion Blazakis, which allowed arbitrary code to be executed on viewing a maliciously crafted Microsoft Office file has been fixed. In Webkit, an integer overflow when handling nodesets, found by Vincenzo Iozzo, Willem Pinckaers, Ralf-Philipp Weinmann and others, and a use after free issue in the handling of text nodes, discovered by Vupen and Martin Barbella, were also fixed. These issues had been reported through Tipping Point's ZeroDay Initiative. Finally, a fix to a libxslt bug reported by the Google Chrome Security Team, stops maliciously crafted web sites attempting to bypass ASLR protection.

The update also fixes non-security bugs which caused blank or frozen video in Facetime and a problem which prevented some international users from connecting to 3G networks on the iPad. Apple has also released iOS 4.2.7 which offers the same security fixes for the Verizon CDMA version of the iPhone 4. Users can update their iOS-based mobile devices using the latest version of iTunes.

(djwm)