Monday's iOS 5.1.1 rollout brought various bug fixes including HDR reliability and network switching, though the initial release note failed to mention what security changes made on the backend.
From the updated Support page:
iOS 5.1.1 Software Update
Safari
Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2
Impact: A maliciously crafted website may be able to spoof the address in the location bar
Description: A URL spoofing issue existed in Safari. This could be used in a malicious web site to direct the user to a spoofed site that visually appeared to be a legitimate domain. This issue is addressed through improved URL handling. This issue does not affect OS X systems.
CVE-ID
CVE-2012-0674 : David Vieira-Kurz of MajorSecurity (majorsecurity.net)
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack
Description: Multiple cross-site scripting issues existed in WebKit.
CVE-ID
CVE-2011-3046 : Sergey Glazunov working with Google's Pwnium contest
CVE-2011-3056 : Sergey Glazunov
WebKit
Available for: iPhone 3GS, iPhone 4, iPhone 4S, iPod touch (3rd generation) and later, iPad, iPad 2
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue existed in WebKit.
CVE-ID
CVE-2012-0672 : Adam Barth and Abhishek Arya of the Google Chrome Security Team
The fixes take care of an issue first discovered in March that allowed a malicious website to display a custom URL that is different than a website's actual address. The spoofing technique could have been used to trick users into unknowingly handing over sensitive information like credit card numbers.
27 Comments
Google identifying and offering fixes to Apple for Safari security issues, and Apple accepting. Nice to see them working together.
Google identifying and offering fixes to Apple for Safari security issues, and Apple accepting. Nice to see them working together.
Don't forget google uses webkit for Chrome
The two things identified by google are in Webkit, not safari.
In y opinion, apple needs to do MUCH better at protecting iOS users. They are not sophisticated, and so are the perfect candidates for falling prey to these maliciously crafted websites.
In y opinion, apple needs to do MUCH better at protecting iOS users. They are not sophisticated, and so are the perfect candidates for falling prey to these maliciously crafted websites.
I want to see how you backpedal your way out of explaining how that's NOT an insult directed at all users of iOS.
[quote name="Tallest Skil" url="/t/149922/apple-reveals-security-specifics-of-ios-5-1-1-update#post_2106532"][QUOTE name="I am a Zither Zather Zuzz" url="/t/149922/apple-reveals-security-specifics-of-ios-5-1-1-update#post_2106530"] In y opinion, apple needs to do MUCH better at protecting iOS users. [B]Many, if not most of them[/B] are not sophisticated, and so are the perfect candidates for falling prey to these maliciously crafted websites.[/QUOTE] I want to see how you backpedal your way out of explaining how that's NOT an insult directed at all users of iOS. [/quote] I spoke too broadly. Thanks for the comment. I improved the post above in bold.