Just days after the release of the new version 10.7 Mac OS Lion, Apple plugged four security holes with updates released Monday for iOS and iWork 09.
Apple’s security release incorporates three critical updates for its office suite, iWork, and one for iOS, the operating system that runs iPhone, iPod Touch and iPad, repairing vulnerabilities that enable hackers to infect victims via remote code execution attacks.
The iOS update transitions all users except Verizon customers to iOS version 4.3.5, while Verizon customers will be able to download iOS 4.2.10.
The update repairs a flaw in the way the iOS handles the X.509 certificate, which opens a security hole that could allow attackers to capture or alter data transmitted via SSL/TLS over iPhones and other Apple devices.
“Other attacks involving X.509 certificate validation may also be possible,” Apple said in its update.
However, an attacker would have to have or somehow obtain a “privileged network position” in order to exploit the flaw.
“I recommend applying this update as soon as possible as this could be a serious security and privacy risk, said Chester Wisniewsky, Sophos senior security advisor, in a blog post Tuesday.
In addition, Cupertino issued fixes for a total of three flaws in the Apple iWork 2009 office suite, two of which apply to the Numbers application and one applies to Pages. The update transitions users to version 9.1.
The iWork update repaired two memory corruption issues and a buffer overflow vulnerability that enables users to unknowingly install malicious code by opening infected Excel spreadsheets or Microsoft Word documents.
In an attack scenario, cyber criminals would likely send users an infected Excel or Word document as an e-mail attachment, and entice them to open it through some kind of social engineering ploy.
Users would unintentionally install malware once they opened the files, which could potentially be used take complete control of their computer and steal financial or otherwise sensitive data. Malicious code could also be used to shut down victims' computers entirely.
As usual, users can access the iOS update from iTunes, which requires them to connect their Apple mobile devices to iTunes for installation.
Users can install the iWork updates via the Software Update application found on the Mac OS X desktop.