Apple security fixes for SSL, Safari and iOS

Filed Under: Apple, Apple Safari, Featured, iOS, Mobile, Vulnerability

You know how they say "Better late than never"? That appears to be Apple's approach to the Comodo SSL certificate scandal. Today they released OS X Security Update 2011-002, Safari 5.0.5 and iOS 4.3.2 (4.2.7 for Verizon).

Security Update 2011-002 is simply the certificate revocation for the certificates that were fraudulently signed by Comodo over 3 weeks ago. The steps I outlined for Apple users are still good practice though, so there is no need to revert the changes.

OS X 2011-002 update

Safari 5.0.5 applies to both Windows and OS X versions of Apple's browser. The update contains two fixes, both flaws could cause arbitrary code execution or a crash by visiting a malicious website.

To apply these updates for OS X click the Apple icon in the menu bar and choose Software Update.

Users of OS X mini (better known as iOS) have an update available as well. iOS 4.3.2 (4.2.7 for Verizon customers) was released to iTunes today and fixes the same certificate trust issue as the update for OS X.

It also patches the browser for the same two flaws as the Safari 5.0.5 update, and fixes an arbitrary code execution risk from the QuickLook application. QuickLook is used for viewing Microsoft Office files on iDevices, and this flaw appears to be the one used by Charlie Miller at this years Pwn20wn contest.

iOS update 4.3.2

One fix applies to iOS 4.3.2 only, a bug in libxslt which could disclose memory addresses on the heap if exploited. What does this mean? Attackers need to know memory addresses to attack certain parts of iOS.

The latest versions of iOS use Address Space Layout Randomization, which makes sure libraries are loaded at unpredictable locations in memory, making more difficult to exploit. This flaw could enable attackers to discover these "secret" memory addresses.

To update your iPhone/iPad/iPod touch device connect it to your computer with iTunes, select the device on the left side and press the button "Check for updates".

For the best security on your Macintosh download Sophos Anti-Virus for Mac Home Edition, there is no reason not to as it is absolutely free.

, , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.