New Apple iOS 5.1.1 update ( Fixes serious vulnerabilities )

Apple have released the latest version of iOS. The latest release is not just cosmetic however , it patched at least 3 serious security flaws.7
The official information can be found here : http://support.apple.com/kb/DL1521 , but the security reasons for updating are hard to find from DL1521. The article shows a list of five “improvements and bug fixes”, none of which is a compelling reason on its own to update now. To see the security issues – you need to visit http://support.apple.com/kb/HT5278, and if you have an iDevice, I strongly suggest you read it.

A brief summary of the security issues :
 
(1) Address-bar spoofing. Site X could direct you to site Y, but make it look as though you’d gone to site Z. Although this sounds like a minor issue, it isn’t. The address bar is supposed to be accurate at all times, because it’s the primary indicator of whose site you’re actually visiting. Indeed, the browser is supposed to ensure that untrusted content – such as JavaScript – inside a web page can’t write into or affect the surrounding user interface (the so-called “chrome”) itself. Address-bar spoofing is very useful to scammers, phishers and peddlers of malware because it lets them masquerade their bogus websites as the real deal.
 
(2) Cross-site scripting. When you visit site X, code pulled in from site Y could execute as though it had been served from site X. XSS (short for cross-site scripting) is always a cause for concern. Web browsers are supposed to enforce a “same-origin” policy. Content from site Y should only be able to see cookies set for site Y, and scripts served from site Y should only be able to connect back to site Y to exchange or request further data. If a script from site Y can view cookies set for site X, then a crook in control of site Y may be able to recover session authentication data (set by site X when you logged in), and thus to impersonate you online.
 
(3) Remote code execution. A maliciously crafted web page might crash your browser in such a way that it ends up running program code secretly embedded in the page. Executable machine code served up in an untrusted web page should never be able to get near to the CPU without provoking one or more do-you-really-intend-to-do-this dialogs. This helps to protect you from installing malware by mistake. Any time a hacker gets hold of an exploitable remote code execution (RCE) vulnerability, they’re laughing. They can sneak malware onto your computer or mobile device without consent or warning.
 
So in short update to iOS 5.1.1 as soon as you possibly can.



Leave a Reply