Apple update patches critical iPad flaws

By Stefanie Hoffman on Nov 26, 2010 8:22 AM
Filed under Security

Apple's iOS 4.2 update repaired a multitude of pending security vulnerabilities.

Users anticipating an iPad or an iPodTouch for the holidays will also be getting a device less susceptible to hacker attacks.

In addition to enhancing a plethora of AirPrint and Gaming Center features for iPad, iPhone and iPod Touch, Apple's massive iOS 4.2 update, released this week, repaired a multitude of pending security vulnerabilities for the company's mobile platforms.

Altogether, the comprehensive update repaired around 40 glitches, including serious flaws in WebKit, Coregraphics, ImageIO, FreeType, Photos, Safari, and Telephony among others.

The bulk of the security update was dedicated to Apple's WebKit with at least 27 fixes for vulnerabilities, the majority of which led to remote code execution attacks.

The update addressed major flaws in the way WebKit handled just about everything, including SVG documents, inline styling, CSS boxes, Web sockets, Text objects, editing commands, JavaScript and Geo-location features.

Almost all of the WebKit flaws opened the door for remote code execution. Attackers could launch a malicious attack by creating a specially crafted Website and then tricking users into visiting the site, typically through some kind of social engineering. Users would download malicious code onto their computers once they clicked on the malicious links, which enabled the remote attackers to either shut down or take control of users' machines.

Another WebKit fix included a Safari glitch that enabled Websites to track users' online behaviour without using cookies, hidden form elements, IP addresses or other techniques.

In addition, the update included two fixes for networking errors stemming from null and invalid pointer deference issues in the handling of Protocol Independent Multicast (PIM) packets and packet filter rules. Hackers who exploited the vulnerabilities could cause a user's computer to shut down in a denial of service attack, or use malicious code to gain unauthorised access to the user's system.

Meanwhile, Safari also received a patch for a bug that prevented passwords from being removed from memory when the users pressed the "Reset Safari" button, giving users who later accessed the device within a short timeframe the ability to acquire the stored credentials. The glitch would likely have the most significant impact for users sharing public computers in a library, Internet cafe or university, for example.

The massive update also prevented users from becoming victims of arbitrary code execution attacks when receiving attached documents. Apple repaired a FreeType heap buffer overflow error that enabled hackers to infect users by placing maliciously crafted fonts in a PDF document, and also repaired a critical memory corruption OfficeImport vulnerability that enabled hackers to take complete control of a user's computer via an infected Excel file.

Next: Experts Emphasize Need To Install Updates

Security experts underscored the necessity for users to apply the patches as soon as possible.

"It's critical that users of Apple's popular gadgets update their operating system as soon as possible. Fixes included in the iOS 4.2 update include patches for the web browser," said Graham Cluley, Sophos senior technology consultant, in a blog post.

"Without these, users could be at risk when they visit booby-trapped websites - code embedded on the website could cause iOS applications to crash, or even plant and run malicious code on the device."

Just days after the Apple's iOS 4.2 became available, rumours circulated that the release of iOS version 4.3 is just around the corner, anticipated sometime in December. Apple, however, declined to confirm the rumours.

This article originally appeared at crn.com

 
Follow us on Facebook and Twitter
 

Copyright © 2014 The Channel Company, LLC. All rights reserved.

Apple update patches critical iPad flaws
 
 
 
 
 
Top Stories
Reseller pays $2.65m for telco specialist
Acquisition scene heats up as JCurve makes another buyout.
 
Kytec files for administration, new company set up
Driven by management buyout, says MD.
 
Dataflex reborn under new owners
Buyer aiming for $30m after second acquisition in six months.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Latest Comments
Polls
Are Chromebooks ready for the enterprise?

CRN Magazine

Issue: 326 | April 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.